Executive Summary

CVE-2026-2142 is a remote OS command injection vulnerability found in the D-Link DIR-823X router, firmware version 250416. It affects the /goform/set_qos endpoint, specifically the backend function sub_420688. The vulnerability arises because certain QoS-related parameters (qqos_enable, qqos_max_download, qqos_max_upload) are not properly sanitized, allowing an authenticated attacker to inject newline characters. These newline characters prematurely terminate the intended UCI configuration command and allow arbitrary shell commands to be appended and executed with root privileges.

The flaw is due to inadequate filtering of newline characters in the input parameters, which bypasses the blacklist filtering mechanism. This enables attackers to execute arbitrary commands on the device remotely, gaining full control over it.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an authenticated remote attacker to execute arbitrary OS commands with root privileges on the affected D-Link DIR-823X router. This means the attacker can gain full control over the device, potentially leading to unauthorized access, data theft, device manipulation, or disruption of network services.

Because the commands run with root privileges, the attacker can compromise the confidentiality, integrity, and availability of the device and the network it supports.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring and testing the /goform/set_qos endpoint on the D-Link DIR-823X router (firmware version 250416) for command injection attempts. Since the exploit requires authentication, detection involves sending crafted POST requests with injection payloads in parameters such as qqos_enable, qqos_max_download, or qqos_max_upload.'}, {'type': 'paragraph', 'content': 'A practical detection method is to send a POST request with a payload that injects a command causing a measurable effect, such as a delay (e.g., sleep 3) or a visible change in system behavior.'}, {'type': 'paragraph', 'content': 'Example commands to test for the vulnerability include using curl or similar tools to send POST requests with injection payloads. For instance:'}, {'type': 'list_item', 'content': 'curl -X POST -d \'qqos_enable=1"\\n\\nsleep 3\\n"\' http://<router-ip>/goform/set_qos -b \'auth_cookies\''}, {'type': 'list_item', 'content': 'Observe if the response is delayed by the sleep duration, indicating successful command injection.'}, {'type': 'paragraph', 'content': 'Detection also involves verifying authentication tokens or cookies as the exploit requires authenticated access.'}] [2]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting access to the affected /goform/set_qos endpoint and ensuring only trusted authenticated users can reach it.

Since the vulnerability arises from insufficient input sanitization, it is recommended to:

• Implement strict input validation using whitelisting to allow only valid numeric characters in the parameters qqos_enable, qqos_max_download, and qqos_max_upload.
• Extend the blacklist of forbidden characters to explicitly reject newline characters (\n, \r) and other shell metacharacters such as $, `, and .
• Replace shell command execution with native API calls (e.g., using libuci) to avoid invoking the shell.
• Enforce strict input format validation to reject any input containing unexpected non-numeric characters immediately.

If possible, update the router firmware to a version that addresses this vulnerability or replace the affected device with a secure alternative.

Useful 0 Not Useful 0