CVE-2026-2120
Unknown Unknown - Not Provided
OS Command Injection in D-Link DIR-823X Configuration Handler

Publication date: 2026-02-08

Last updated on: 2026-02-11

Assigner: VulDB

Description
A vulnerability was identified in D-Link DIR-823X 250416. This affects an unknown function of the file /goform/set_server_settings of the component Configuration Parameter Handler. The manipulation of the argument terminal_addr/server_ip/server_port leads to os command injection. The attack may be initiated remotely. The exploit is publicly available and might be used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-08
Last Modified
2026-02-11
Generated
2026-06-16
AI Q&A
2026-02-08
EPSS Evaluated
2026-06-14
NVD
CVE-2026-2120
EUVD
EUVD-2026-5826
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
dlink dir-823x_firmware 250416
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-2120 is a remote OS command injection vulnerability found in the D-Link DIR-823X router (firmware version 250416). It exists in the /goform/set_server_settings endpoint of the Configuration Parameter Handler component. The vulnerability arises because the router improperly sanitizes user-supplied parameters terminal_addr, server_ip, and server_port. Specifically, it fails to filter newline characters, allowing an authenticated attacker to inject arbitrary shell commands by terminating the intended configuration command and appending malicious commands.

The injected commands are executed with root privileges on the device, potentially compromising the entire system. Exploitation requires authentication but can be performed remotely. A proof-of-concept exploit is publicly available, demonstrating how an attacker can authenticate, send crafted requests with injection payloads, and execute arbitrary commands on the router.

Impact Analysis

This vulnerability allows a remote authenticated attacker to execute arbitrary shell commands with root privileges on the affected D-Link DIR-823X router. This can lead to full compromise of the device, including unauthorized access, modification, or disruption of network configurations and services.

  • Compromise of device confidentiality, integrity, and availability.
  • Potential for persistent backdoors or malware installation.
  • Disruption of network connectivity or denial of service.
  • Use of the compromised device as a pivot point for further attacks within the network.
Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking for unauthorized or suspicious POST requests to the /goform/set_server_settings endpoint on the D-Link DIR-823X router, especially those containing unusual characters such as newline (\\n) in the parameters terminal_addr, server_ip, or server_port.'}, {'type': 'paragraph', 'content': 'A practical detection method involves monitoring network traffic for POST requests to /goform/set_server_settings and inspecting the parameters for injection patterns, such as embedded newline characters or shell command fragments.'}, {'type': 'paragraph', 'content': 'Additionally, you can attempt authenticated access to the router and manually test the endpoint by sending crafted POST requests with payloads containing newline characters in the vulnerable parameters to verify if command injection is possible.'}, {'type': 'paragraph', 'content': 'Example commands to detect the vulnerability might include using curl to send a test POST request with an injection payload (requires valid authentication token and credentials):'}, {'type': 'list_item', 'content': "curl -X POST -d 'terminal_addr=127.0.0.1\\nwhoami&server_ip=1.2.3.4&server_port=80' -H 'Cookie: session=YOUR_SESSION_TOKEN' http://TARGET_IP/goform/set_server_settings"}, {'type': 'list_item', 'content': 'Monitor router logs or system behavior for execution of injected commands (e.g., output of whoami or delays caused by sleep commands).'}] [1]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'Immediate mitigation steps include restricting and sanitizing input parameters terminal_addr, server_ip, and server_port to allow only valid IP address formats (digits and dots) and numeric-only input for server_port.'}, {'type': 'paragraph', 'content': 'Explicitly filter out control characters such as newline (0x0A) and carriage return (0x0D) from these parameters to prevent command injection.'}, {'type': 'paragraph', 'content': 'Avoid using shell commands to apply configuration changes; instead, use parameterized APIs or libraries (e.g., libuci) that safely handle configuration without invoking the shell.'}, {'type': 'paragraph', 'content': 'Ensure that all shell scripts and commands properly quote user inputs and avoid unsafe functions like eval.'}, {'type': 'paragraph', 'content': "If possible, restrict access to the router's management interface to trusted networks and enforce strong authentication to reduce the risk of exploitation."}, {'type': 'paragraph', 'content': 'Consider replacing or updating the affected device firmware if a patch becomes available, or use an alternative device not affected by this vulnerability.'}] [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2120. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart