CVE-2026-2082
Unknown Unknown - Not Provided
Remote OS Command Injection in D-Link DIR-823X via MAC Clone Function

Publication date: 2026-02-07

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was identified in D-Link DIR-823X 250416. The impacted element is an unknown function of the file /goform/set_mac_clone. Such manipulation of the argument mac leads to os command injection. The attack may be performed from remote. The exploit is publicly available and might be used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-07
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-02-07
EPSS Evaluated
2026-06-14
NVD
CVE-2026-2082
EUVD
EUVD-2026-5731
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
dlink dir-823x_firmware 250416
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

I don't know

Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-2082 is a remote OS command injection vulnerability in the D-Link DIR-823X router, firmware version 250416. It occurs in the /goform/set_mac_clone endpoint due to improper sanitization of the 'mac' parameter."}, {'type': 'paragraph', 'content': "Specifically, the vulnerability arises because the input filtering fails to block newline characters, which can be used as command separators in shell commands. An authenticated attacker can inject arbitrary shell commands via the 'mac' parameter."}, {'type': 'paragraph', 'content': 'These injected commands are executed with root privileges during the network service restart process, allowing the attacker to execute arbitrary commands on the device remotely.'}] [1, 2, 3]

Impact Analysis

This vulnerability allows an authenticated remote attacker to execute arbitrary OS commands with root privileges on the affected router.

  • Compromise of device confidentiality, integrity, and availability.
  • Potential full control over the router, including modifying configurations, intercepting or disrupting network traffic, and installing malicious software.
  • Disruption of network services due to arbitrary command execution, such as restarting network services or causing denial of service.
Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by testing the /goform/set_mac_clone endpoint on the D-Link DIR-823X router for command injection via the mac parameter.'}, {'type': 'paragraph', 'content': 'A proof-of-concept involves authenticating to the router and injecting shell commands through the mac parameter, then triggering a network restart to execute the commands.'}, {'type': 'paragraph', 'content': "One detection method is to inject a harmless command such as 'sleep' and measure response delays to confirm command execution."}, {'type': 'list_item', 'content': 'Authenticate to the router using token-based login with HMAC-SHA256 hashing.'}, {'type': 'list_item', 'content': 'Send a crafted request to /goform/set_mac_clone with the mac parameter containing injected commands separated by newline characters.'}, {'type': 'list_item', 'content': 'Trigger the network restart by setting the set_flag parameter to "1" to execute the injected commands.'}] [3]

Mitigation Strategies

Immediate mitigation steps include replacing the current blacklist filtering with a strict whitelist that only allows valid MAC address characters such as [0-9a-fA-F:].

Avoid using system shell calls to apply configuration changes; instead, use the UCI C API functions (uci_set, uci_commit) directly to prevent command injection.

If shell commands must be used, ensure all input is properly escaped, including newline characters, to prevent injection.

Since no known countermeasures or patches are reported, consider replacing the affected D-Link DIR-823X router with a secure alternative.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2082. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart