CVE-2026-2081
OS Command Injection in D-Link DIR-823X /goform/set_password
Publication date: 2026-02-07
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dlink | dir-823x_firmware | 250416 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-2081 is a remote OS command injection vulnerability in the D-Link DIR-823X router, firmware version 250416. It occurs in the /goform/set_password endpoint due to improper sanitization of the http_passwd parameter. Specifically, the system fails to filter newline characters, allowing an authenticated attacker who knows the current administrator password to inject arbitrary shell commands.
These injected commands are executed with root privileges when the router commits its configuration, enabling the attacker to run commands on the device with elevated rights.
How can this vulnerability impact me? :
This vulnerability allows an authenticated attacker to execute arbitrary commands on the router with root privileges remotely. This can lead to full compromise of the device, affecting its confidentiality, integrity, and availability.
- Remote command execution with root privileges
- Potential takeover of the router and network traffic interception or manipulation
- Disruption of network services or device functionality
- Exposure to further attacks leveraging the compromised device
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'Detection of this vulnerability involves identifying attempts to exploit the /goform/set_password endpoint with malicious payloads in the http_passwd parameter. Since exploitation requires authentication, monitoring authenticated requests to this endpoint for unusual or suspicious input containing newline characters (\\n) or shell command patterns can help detect attacks.'}, {'type': 'paragraph', 'content': 'Suggested commands for detection include using network monitoring tools or web server logs to filter requests to /goform/set_password and inspecting the http_passwd parameter for newline characters or suspicious command injection patterns.'}, {'type': 'list_item', 'content': 'Use tcpdump or Wireshark to capture HTTP POST requests to /goform/set_password and analyze the payload.'}, {'type': 'list_item', 'content': "Use grep or similar tools on web server or router logs to find requests containing 'http_passwd' with newline characters or suspicious shell metacharacters."}, {'type': 'list_item', 'content': "Example grep command: grep -P '\\n' /path/to/logfile | grep '/goform/set_password'"}, {'type': 'list_item', 'content': "Monitor for unusual delays or side effects caused by injected commands like 'sleep' which may indicate exploitation attempts."}] [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the /goform/set_password endpoint and ensuring only trusted authenticated users can access it.
Implement strict input validation on the http_passwd parameter to reject newline characters and other control characters that enable command injection.
Suggested mitigations from the advisory include:
- Apply strict whitelist validation for passwords using regex patterns such as ^[a-zA-Z0-9!@#$%^&*]+$, explicitly rejecting newline characters.
- Replace shell command concatenation with direct UCI C API calls (e.g., uci_set, uci_commit) to avoid shell interpretation.
- Sanitize all control characters (ASCII 0x00-0x1F) before passing inputs to shell-executing functions.
If possible, update the router firmware to a version that addresses this vulnerability or consider replacing the affected device.