CVE-2026-2082
Remote OS Command Injection in D-Link DIR-823X via MAC Clone Function
Publication date: 2026-02-07
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dlink | dir-823x_firmware | 250416 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-2082 is a remote OS command injection vulnerability in the D-Link DIR-823X router, firmware version 250416. It occurs in the /goform/set_mac_clone endpoint due to improper sanitization of the 'mac' parameter."}, {'type': 'paragraph', 'content': "Specifically, the vulnerability arises because the input filtering fails to block newline characters, which can be used as command separators in shell commands. An authenticated attacker can inject arbitrary shell commands via the 'mac' parameter."}, {'type': 'paragraph', 'content': 'These injected commands are executed with root privileges during the network service restart process, allowing the attacker to execute arbitrary commands on the device remotely.'}] [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability allows an authenticated remote attacker to execute arbitrary OS commands with root privileges on the affected router.
- Compromise of device confidentiality, integrity, and availability.
- Potential full control over the router, including modifying configurations, intercepting or disrupting network traffic, and installing malicious software.
- Disruption of network services due to arbitrary command execution, such as restarting network services or causing denial of service.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by testing the /goform/set_mac_clone endpoint on the D-Link DIR-823X router for command injection via the mac parameter.'}, {'type': 'paragraph', 'content': 'A proof-of-concept involves authenticating to the router and injecting shell commands through the mac parameter, then triggering a network restart to execute the commands.'}, {'type': 'paragraph', 'content': "One detection method is to inject a harmless command such as 'sleep' and measure response delays to confirm command execution."}, {'type': 'list_item', 'content': 'Authenticate to the router using token-based login with HMAC-SHA256 hashing.'}, {'type': 'list_item', 'content': 'Send a crafted request to /goform/set_mac_clone with the mac parameter containing injected commands separated by newline characters.'}, {'type': 'list_item', 'content': 'Trigger the network restart by setting the set_flag parameter to "1" to execute the injected commands.'}] [3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include replacing the current blacklist filtering with a strict whitelist that only allows valid MAC address characters such as [0-9a-fA-F:].
Avoid using system shell calls to apply configuration changes; instead, use the UCI C API functions (uci_set, uci_commit) directly to prevent command injection.
If shell commands must be used, ensure all input is properly escaped, including newline characters, to prevent injection.
Since no known countermeasures or patches are reported, consider replacing the affected D-Link DIR-823X router with a secure alternative.