The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added three security vulnerabilities in D-Link Wi-Fi cameras and video recorders to its Known Exploited Vulnerabilities (KEV) Catalog, warning that the flaws are under active attack and must be fixed by federal agencies by August 26, 2025.

The affected products include D-Link’s DCS-2530L and DCS-2670L security cameras, and the DNR-322L network video recorder, some of which reached end-of-life (EoL) years ago but are still used in homes and offices. According to CISA, the flaws pose “a significant risk to the federal enterprise” and should be treated as a high priority under Binding Operational Directive (BOD) 22-01.

The vulnerabilities include CVE-2020-25078, an unauthenticated flaw allowing remote admin password access; CVE-2020-25079, a command injection bug in the cameras’ CGI component; and CVE-2022-40799, which allows attackers to execute OS-level commands on the DNR-322L network video recorder via a backup config feature. CISA said these weaknesses are being actively exploited in real-world attacks and could lead to device hijacking, malware injection, or botnet enlistment.

The CVE-2020-25078 “allows remote attackers to access the admin password via an unauthenticated endpoint,” while CVE-2022-40799 could let an attacker “run OS-level commands on the device.” The DNR-322L flaw remains unpatched due to the device being discontinued in 2021, and users are advised to replace it immediately.

Though BOD 22-01 only applies to federal agencies, CISA is urging all organizations to prioritize mitigation. “We recommend reducing exposure to cyberattacks by addressing KEV-listed vulnerabilities as a core part of your vulnerability management program,” the agency said.

The FBI had previously flagged the same camera models in HiatusRAT campaigns, and researchers believe these flaws continue to serve as easy entry points into larger networks. Firmware patches for CVE-2020-25078 and CVE-2020-25079 were issued in 2020, but many devices may still be running outdated software.

As always, CISA recommends updating devices to the latest firmware, isolating them from business networks, and monitoring for signs of compromise before attackers do.