Executive Summary

CVE-2026-2061 is a remote OS command injection vulnerability found in the D-Link DIR-823X router, version 250416. It exists in the function sub_424D20 within the /goform/set_ipv6 endpoint, which handles IPv6 configuration.

The vulnerability arises because user input parameters such as dns_server and pppUserName are not properly sanitized before being used to construct OS commands. Specifically, the input filtering function uses a blacklist that fails to block newline characters, allowing attackers to inject newline characters that split commands and enable execution of arbitrary shell commands.

Exploitation requires authentication but can be performed remotely, leading to remote code execution with root privileges. The flaw allows attackers to execute arbitrary commands on the device by injecting malicious input into the IPv6 configuration interface.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing an authenticated remote attacker to execute arbitrary shell commands with root privileges on the affected D-Link DIR-823X router.

Successful exploitation compromises the confidentiality, integrity, and availability of the device, potentially allowing the attacker to take full control of the router, manipulate network configurations, intercept or alter network traffic, or disrupt network services.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by attempting to send specially crafted POST requests to the /goform/set_ipv6 endpoint of the D-Link DIR-823X router (version 250416). The requests should include parameters such as dns_server or pppUserName containing newline characters (\\n) followed by shell commands to test for command injection.'}, {'type': 'paragraph', 'content': 'Detection involves verifying if the router executes injected commands by observing unexpected behavior or responses after sending these crafted requests.'}, {'type': 'paragraph', 'content': 'A proof-of-concept exploit uses a Python script that logs into the router using token-based HMAC-SHA256 authentication and sends POST requests with payloads injecting commands via parameters.'}, {'type': 'list_item', 'content': 'Use curl or similar tools to send POST requests to http://<router-ip>/goform/set_ipv6 with parameters containing newline characters and shell commands.'}, {'type': 'list_item', 'content': 'Example curl command to test injection (replace <router-ip> and authentication tokens accordingly):'}, {'type': 'paragraph', 'content': 'curl -X POST http://<router-ip>/goform/set_ipv6 -d "dns_server=8.8.8.8\\nwhoami" -H "Cookie: session=<session_token>"'}, {'type': 'paragraph', 'content': "Monitor the router's response or behavior for signs that the injected command (e.g., whoami) was executed."}] [2]

Useful 0 Not Useful 0

Mitigation Strategies

[{'type': 'paragraph', 'content': 'Currently, no known mitigations or countermeasures exist for this vulnerability in the affected firmware version.'}, {'type': 'paragraph', 'content': "Immediate steps include restricting access to the router's management interface to trusted users only, ensuring strong authentication, and monitoring for suspicious activity."}, {'type': 'paragraph', 'content': 'Replacement of the affected product is suggested as a mitigation measure.'}, {'type': 'paragraph', 'content': 'If possible, avoid using the vulnerable /goform/set_ipv6 interface or disable remote management features until a patch or updated firmware is available.'}] [1, 2]

Useful 0 Not Useful 0