CVE-2026-2142
OS Command Injection in D-Link DIR-823X /goform/set_qos
Publication date: 2026-02-08
Last updated on: 2026-02-10
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dlink | dir-823x_firmware | 250416 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-2142 is a remote OS command injection vulnerability found in the D-Link DIR-823X router, firmware version 250416. It affects the /goform/set_qos endpoint, specifically the backend function sub_420688. The vulnerability arises because certain QoS-related parameters (qqos_enable, qqos_max_download, qqos_max_upload) are not properly sanitized, allowing an authenticated attacker to inject newline characters. These newline characters prematurely terminate the intended UCI configuration command and allow arbitrary shell commands to be appended and executed with root privileges.
The flaw is due to inadequate filtering of newline characters in the input parameters, which bypasses the blacklist filtering mechanism. This enables attackers to execute arbitrary commands on the device remotely, gaining full control over it.
How can this vulnerability impact me? :
This vulnerability allows an authenticated remote attacker to execute arbitrary OS commands with root privileges on the affected D-Link DIR-823X router. This means the attacker can gain full control over the device, potentially leading to unauthorized access, data theft, device manipulation, or disruption of network services.
Because the commands run with root privileges, the attacker can compromise the confidentiality, integrity, and availability of the device and the network it supports.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring and testing the /goform/set_qos endpoint on the D-Link DIR-823X router (firmware version 250416) for command injection attempts. Since the exploit requires authentication, detection involves sending crafted POST requests with injection payloads in parameters such as qqos_enable, qqos_max_download, or qqos_max_upload.'}, {'type': 'paragraph', 'content': 'A practical detection method is to send a POST request with a payload that injects a command causing a measurable effect, such as a delay (e.g., sleep 3) or a visible change in system behavior.'}, {'type': 'paragraph', 'content': 'Example commands to test for the vulnerability include using curl or similar tools to send POST requests with injection payloads. For instance:'}, {'type': 'list_item', 'content': 'curl -X POST -d \'qqos_enable=1"\\n\\nsleep 3\\n"\' http://<router-ip>/goform/set_qos -b \'auth_cookies\''}, {'type': 'list_item', 'content': 'Observe if the response is delayed by the sleep duration, indicating successful command injection.'}, {'type': 'paragraph', 'content': 'Detection also involves verifying authentication tokens or cookies as the exploit requires authenticated access.'}] [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the affected /goform/set_qos endpoint and ensuring only trusted authenticated users can reach it.
Since the vulnerability arises from insufficient input sanitization, it is recommended to:
- Implement strict input validation using whitelisting to allow only valid numeric characters in the parameters qqos_enable, qqos_max_download, and qqos_max_upload.
- Extend the blacklist of forbidden characters to explicitly reject newline characters (\n, \r) and other shell metacharacters such as $, `, and .
- Replace shell command execution with native API calls (e.g., using libuci) to avoid invoking the shell.
- Enforce strict input format validation to reject any input containing unexpected non-numeric characters immediately.
If possible, update the router firmware to a version that addresses this vulnerability or replace the affected device with a secure alternative.