CVE-2026-2120
OS Command Injection in D-Link DIR-823X Configuration Handler
Publication date: 2026-02-08
Last updated on: 2026-02-11
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dlink | dir-823x_firmware | 250416 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-2120 is a remote OS command injection vulnerability found in the D-Link DIR-823X router (firmware version 250416). It exists in the /goform/set_server_settings endpoint of the Configuration Parameter Handler component. The vulnerability arises because the router improperly sanitizes user-supplied parameters terminal_addr, server_ip, and server_port. Specifically, it fails to filter newline characters, allowing an authenticated attacker to inject arbitrary shell commands by terminating the intended configuration command and appending malicious commands.
The injected commands are executed with root privileges on the device, potentially compromising the entire system. Exploitation requires authentication but can be performed remotely. A proof-of-concept exploit is publicly available, demonstrating how an attacker can authenticate, send crafted requests with injection payloads, and execute arbitrary commands on the router.
How can this vulnerability impact me? :
This vulnerability allows a remote authenticated attacker to execute arbitrary shell commands with root privileges on the affected D-Link DIR-823X router. This can lead to full compromise of the device, including unauthorized access, modification, or disruption of network configurations and services.
- Compromise of device confidentiality, integrity, and availability.
- Potential for persistent backdoors or malware installation.
- Disruption of network connectivity or denial of service.
- Use of the compromised device as a pivot point for further attacks within the network.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking for unauthorized or suspicious POST requests to the /goform/set_server_settings endpoint on the D-Link DIR-823X router, especially those containing unusual characters such as newline (\\n) in the parameters terminal_addr, server_ip, or server_port.'}, {'type': 'paragraph', 'content': 'A practical detection method involves monitoring network traffic for POST requests to /goform/set_server_settings and inspecting the parameters for injection patterns, such as embedded newline characters or shell command fragments.'}, {'type': 'paragraph', 'content': 'Additionally, you can attempt authenticated access to the router and manually test the endpoint by sending crafted POST requests with payloads containing newline characters in the vulnerable parameters to verify if command injection is possible.'}, {'type': 'paragraph', 'content': 'Example commands to detect the vulnerability might include using curl to send a test POST request with an injection payload (requires valid authentication token and credentials):'}, {'type': 'list_item', 'content': "curl -X POST -d 'terminal_addr=127.0.0.1\\nwhoami&server_ip=1.2.3.4&server_port=80' -H 'Cookie: session=YOUR_SESSION_TOKEN' http://TARGET_IP/goform/set_server_settings"}, {'type': 'list_item', 'content': 'Monitor router logs or system behavior for execution of injected commands (e.g., output of whoami or delays caused by sleep commands).'}] [1]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'Immediate mitigation steps include restricting and sanitizing input parameters terminal_addr, server_ip, and server_port to allow only valid IP address formats (digits and dots) and numeric-only input for server_port.'}, {'type': 'paragraph', 'content': 'Explicitly filter out control characters such as newline (0x0A) and carriage return (0x0D) from these parameters to prevent command injection.'}, {'type': 'paragraph', 'content': 'Avoid using shell commands to apply configuration changes; instead, use parameterized APIs or libraries (e.g., libuci) that safely handle configuration without invoking the shell.'}, {'type': 'paragraph', 'content': 'Ensure that all shell scripts and commands properly quote user inputs and avoid unsafe functions like eval.'}, {'type': 'paragraph', 'content': "If possible, restrict access to the router's management interface to trusted networks and enforce strong authentication to reduce the risk of exploitation."}, {'type': 'paragraph', 'content': 'Consider replacing or updating the affected device firmware if a patch becomes available, or use an alternative device not affected by this vulnerability.'}] [1]