CVE-2018-20305

Name: CVE-2018-20305
Creator: NVD / NIST
Published: 2018-12-20T00:29:00.457+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

UnknownEPSS 4.07%

Last modified Jun 17, 2026

CVE-2018-20305 is a vulnerability of currently unknown severity. D-Link DIR-816 A2 1.10 B05 devices allow arbitrary remote code execution without authentication via the newpass parameter. In the /goform/form2userconfig.cgi handler function, a long password may lead to a stack-based buffer overflow and overwrite a return address.. EPSS estimates a 4.07% chance of exploitation in the next 30 days.

Description

D-Link DIR-816 A2 1.10 B05 devices allow arbitrary remote code execution without authentication via the newpass parameter. In the /goform/form2userconfig.cgi handler function, a long password may lead to a stack-based buffer overflow and overwrite a return address.

Metrics

EPSS Probability

4.07%

89.4th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-787

Affected Software

Vendor	Product	Versions
D-Link	Dir-816 A2 Firmware	1.10b05

References

https://github.com/RootSoull/Vuln-Poc/tree/master/D-Link/DIR-816Exploit, Third Party Advisory
https://github.com/RootSoull/Vuln-Poc/tree/master/D-Link/DIR-816Exploit, Third Party Advisory

Timeline

Published: Dec 20, 2018
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2018-20305?

How severe is CVE-2018-20305?

Severity scoring for CVE-2018-20305 is pending analysis. The EPSS model estimates a 4.07% probability of exploitation in the next 30 days.

How do I fix CVE-2018-20305?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2018-20305?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST