CVE-2026-2143
OS Command Injection in D-Link DIR-823X DDNS Service
Publication date: 2026-02-08
Last updated on: 2026-02-10
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dlink | dir-823x_firmware | 250416 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-2143 is a critical remote OS command injection vulnerability found in the D-Link DIR-823X router, version 250416, specifically in the DDNS Service component at the /goform/set_ddns endpoint.
The vulnerability arises because the router improperly handles user-supplied input parameters such as ddnsType, ddnsDomainName, ddnsUserName, and ddnsPwd. These parameters are used to construct operating system commands without adequate sanitization, especially failing to filter newline characters, allowing attackers to inject arbitrary shell commands.
An authenticated attacker can exploit this flaw remotely by injecting malicious commands that get executed with root privileges when the router commits DDNS configurations and restarts the DDNS service.
This vulnerability corresponds to CWE-78 (Improper Neutralization of Special Elements used in an OS Command) and related weaknesses, enabling full system compromise.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by testing the /goform/set_ddns endpoint on the D-Link DIR-823X router for command injection via the DDNS parameters: ddnsType, ddnsDomainName, ddnsUserName, and ddnsPwd.'}, {'type': 'paragraph', 'content': 'Since the vulnerability requires authentication, detection involves sending authenticated POST requests with crafted payloads that include newline characters (\\n) or other shell command injection attempts in these parameters.'}, {'type': 'paragraph', 'content': 'A practical approach is to use a script or tool that sends POST requests to /goform/set_ddns with injected commands, such as adding a payload like test"\\n\\necho " to observe if arbitrary commands execute.'}, {'type': 'paragraph', 'content': 'For example, a Python script (as demonstrated in the public proof-of-concept) can be used to authenticate and send these crafted requests, verifying command execution by observing delays (e.g., sleep 3) or output changes.'}, {'type': 'list_item', 'content': 'Send an authenticated POST request to http://<router-ip>/goform/set_ddns with parameters containing newline characters to test command injection.'}, {'type': 'list_item', 'content': 'Use tools like curl or custom scripts to inject payloads such as ddnsType=test"\\n\\necho injected" and check for command execution effects.'}] [3]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'Immediate mitigation steps include restricting access to the vulnerable router and avoiding use of the affected DDNS configuration interface until a fix is applied.'}, {'type': 'paragraph', 'content': 'Since no known mitigations or patches are currently identified, it is recommended to replace the affected product with an alternative device.'}, {'type': 'paragraph', 'content': "If replacement is not immediately possible, restrict network access to the router's management interface to trusted users only and disable remote management if enabled."}, {'type': 'paragraph', 'content': 'Additionally, monitor for suspicious activity related to DDNS configuration changes and avoid using the DDNS service on the affected router.'}, {'type': 'paragraph', 'content': 'Suggested longer-term mitigations include implementing strict input validation and sanitization on DDNS parameters, rejecting control characters like line feed and carriage return, and securing the DDNS restart scripts, but these require vendor action.'}] [1, 3]
How can this vulnerability impact me? :
Exploitation of this vulnerability allows an attacker to execute arbitrary OS commands with root privileges on the affected router.
This can lead to full system compromise, impacting the confidentiality, integrity, and availability of the device.
- Attackers can manipulate router configurations, disrupt network services, or use the device as a foothold for further attacks.
- Since the attack can be carried out remotely (with authentication), it poses a significant security risk to network infrastructure relying on the affected router.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know