CVE-2026-2129
Remote OS Command Injection in D-Link DIR-823X /goform/set_ac_status
Publication date: 2026-02-08
Last updated on: 2026-02-11
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dlink | dir-823x_firmware | 250416 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-2129 is a critical remote OS command injection vulnerability found in the D-Link DIR-823X router, version 250416. It affects the /goform/set_ac_status endpoint, where three parametersβac_ipaddr, ac_ipstatus, and ap_randtimeβare improperly sanitized. Specifically, the input filtering fails to block newline characters, allowing an authenticated attacker to inject arbitrary shell commands. These commands are executed with root privileges when the system commits configuration changes and restarts the capwap service. The vulnerability corresponds to CWE-78 and can be exploited remotely with authentication.
How can this vulnerability impact me? :
This vulnerability can severely impact the confidentiality, integrity, and availability of the affected device. An attacker who successfully exploits it can execute arbitrary commands with root privileges on the router remotely after authentication. This could lead to unauthorized control over the device, disruption of network services, data theft, or further compromise of the network infrastructure.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by testing the /goform/set_ac_status endpoint on the D-Link DIR-823X router for command injection via the parameters ac_ipaddr, ac_ipstatus, or ap_randtime.'}, {'type': 'paragraph', 'content': 'A proof-of-concept (PoC) exploit is available that performs authentication using HMAC-SHA256 hashed passwords with a session token, then injects commands through these parameters.'}, {'type': 'paragraph', 'content': 'The PoC includes a test mode that verifies the vulnerability by injecting a sleep command and measuring response delays, which can be used as a detection method.'}, {'type': 'list_item', 'content': "Use the PoC Python script to authenticate and inject a benign command such as 'sleep 5' to observe delayed responses indicating vulnerability."}, {'type': 'list_item', 'content': 'Manually send HTTP POST requests to /goform/set_ac_status with manipulated parameters containing newline characters to test for command injection.'}] [2]
What immediate steps should I take to mitigate this vulnerability?
Currently, no known countermeasures or official patches are available for this vulnerability.
Suggested mitigations include implementing strict input validation and sanitization on the vulnerable parameters.
- Apply strict regex-based whitelisting for the ac_ipaddr parameter, for example, allowing only valid IP addresses matching ^[0-9.]{7,15}$.
- Explicitly sanitize or reject inputs containing ASCII control characters, especially newline (0x0A) and carriage return (0x0D) characters.
- Avoid using shell command concatenation by replacing system() calls with direct API calls and execve() with fixed argument lists to prevent shell parsing vulnerabilities.
If possible, replace the affected product with an alternative device not vulnerable to this issue.