CVE-2026-2129
Unknown Unknown - Not Provided
Remote OS Command Injection in D-Link DIR-823X /goform/set_ac_status

Publication date: 2026-02-08

Last updated on: 2026-02-11

Assigner: VulDB

Description
A vulnerability was found in D-Link DIR-823X 250416. Affected by this issue is some unknown functionality of the file /goform/set_ac_status. Performing a manipulation of the argument ac_ipaddr/ac_ipstatus/ap_randtime results in os command injection. The attack may be initiated remotely. The exploit has been made public and could be used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-08
Last Modified
2026-02-11
Generated
2026-06-20
AI Q&A
2026-02-08
EPSS Evaluated
2026-06-19
NVD
CVE-2026-2129
EUVD
EUVD-2026-5819
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
dlink dir-823x_firmware 250416
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-2129 is a critical remote OS command injection vulnerability found in the D-Link DIR-823X router, version 250416. It affects the /goform/set_ac_status endpoint, where three parametersβ€”ac_ipaddr, ac_ipstatus, and ap_randtimeβ€”are improperly sanitized. Specifically, the input filtering fails to block newline characters, allowing an authenticated attacker to inject arbitrary shell commands. These commands are executed with root privileges when the system commits configuration changes and restarts the capwap service. The vulnerability corresponds to CWE-78 and can be exploited remotely with authentication.

Impact Analysis

This vulnerability can severely impact the confidentiality, integrity, and availability of the affected device. An attacker who successfully exploits it can execute arbitrary commands with root privileges on the router remotely after authentication. This could lead to unauthorized control over the device, disruption of network services, data theft, or further compromise of the network infrastructure.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by testing the /goform/set_ac_status endpoint on the D-Link DIR-823X router for command injection via the parameters ac_ipaddr, ac_ipstatus, or ap_randtime.'}, {'type': 'paragraph', 'content': 'A proof-of-concept (PoC) exploit is available that performs authentication using HMAC-SHA256 hashed passwords with a session token, then injects commands through these parameters.'}, {'type': 'paragraph', 'content': 'The PoC includes a test mode that verifies the vulnerability by injecting a sleep command and measuring response delays, which can be used as a detection method.'}, {'type': 'list_item', 'content': "Use the PoC Python script to authenticate and inject a benign command such as 'sleep 5' to observe delayed responses indicating vulnerability."}, {'type': 'list_item', 'content': 'Manually send HTTP POST requests to /goform/set_ac_status with manipulated parameters containing newline characters to test for command injection.'}] [2]

Mitigation Strategies

Currently, no known countermeasures or official patches are available for this vulnerability.

Suggested mitigations include implementing strict input validation and sanitization on the vulnerable parameters.

  • Apply strict regex-based whitelisting for the ac_ipaddr parameter, for example, allowing only valid IP addresses matching ^[0-9.]{7,15}$.
  • Explicitly sanitize or reject inputs containing ASCII control characters, especially newline (0x0A) and carriage return (0x0D) characters.
  • Avoid using shell command concatenation by replacing system() calls with direct API calls and execve() with fixed argument lists to prevent shell parsing vulnerabilities.

If possible, replace the affected product with an alternative device not vulnerable to this issue.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2129. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart