CVE-2026-2155
Analyzed Analyzed - Analysis Complete
OS Command Injection in D-Link DIR-823X Configuration Handler

Publication date: 2026-02-08

Last updated on: 2026-02-11

Assigner: VulDB

Description
A security flaw has been discovered in D-Link DIR-823X 250416. The affected element is the function sub_4208A0 of the file /goform/set_dmz of the component Configuration Handler. The manipulation of the argument dmz_host/dmz_enable results in os command injection. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-08
Last Modified
2026-02-11
Generated
2026-06-16
AI Q&A
2026-02-08
EPSS Evaluated
2026-06-14
NVD
CVE-2026-2155
EUVD
EUVD-2026-5794
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
dlink dir-823x_firmware 250416
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-2155 is a remote OS command injection vulnerability found in the D-Link DIR-823X router, firmware version 250416. It occurs in the function sub_4208A0 of the /goform/set_dmz endpoint, which handles configuration changes related to DMZ settings.'}, {'type': 'paragraph', 'content': "The vulnerability arises because the router's backend fails to properly sanitize newline characters (\\n or 0x0A) in the user-supplied parameters dmz_host and dmz_enable. This allows an authenticated attacker to inject newline characters that truncate the original configuration command and append arbitrary shell commands."}, {'type': 'paragraph', 'content': "As a result, the attacker can execute arbitrary OS commands with root privileges remotely by exploiting this input sanitization flaw in the router's configuration interface."}] [1, 2, 3, 4]

Impact Analysis

This vulnerability allows an authenticated attacker to execute arbitrary shell commands with root privileges on the affected router remotely.

  • Compromise of device confidentiality: attacker can access sensitive information stored or processed by the router.
  • Integrity impact: attacker can modify router configurations or inject malicious commands.
  • Availability impact: attacker can disrupt network services by restarting or disabling firewall or other critical components.

Because the exploit is publicly available, the risk of exploitation is high, making the device vulnerable to remote attacks that can lead to full device compromise.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by testing the /goform/set_dmz endpoint on the D-Link DIR-823X router (firmware 250416) for command injection via the dmz_host or dmz_enable parameters. An authenticated attacker can send crafted POST requests containing newline characters (\\n) in these parameters to check if arbitrary commands can be executed.'}, {'type': 'paragraph', 'content': 'A proof-of-concept involves sending a POST request with a payload that injects shell commands through dmz_host, for example by including newline characters to break the command context and execute arbitrary commands. Detection can also be done by observing unusual command execution or response timing delays caused by injected commands such as sleep.'}, {'type': 'paragraph', 'content': 'Suggested detection commands include using curl or similar tools to send authenticated POST requests to the /goform/set_dmz endpoint with payloads like:'}, {'type': 'list_item', 'content': 'curl -X POST -d \'dmz_host=192.168.1.100"\\n\\necho vulnerable\' -b \'auth_cookie=token\' http://<router_ip>/goform/set_dmz'}, {'type': 'list_item', 'content': 'Using timing-based detection by injecting commands such as sleep to observe response delays.'}, {'type': 'paragraph', 'content': 'Authentication is required to perform these tests, as the vulnerability requires authenticated access.'}] [2]

Mitigation Strategies

[{'type': 'paragraph', 'content': "Immediate mitigation steps include restricting access to the affected router's management interface to trusted users only, ensuring strong authentication credentials are in place, and disabling remote management if not needed."}, {'type': 'paragraph', 'content': 'From a technical perspective, suggested mitigations are:'}, {'type': 'list_item', 'content': 'Implement strict input validation by whitelisting dmz_host to only allow valid IPv4 addresses and restricting dmz_enable to values 0 or 1.'}, {'type': 'list_item', 'content': 'Enhance input sanitization to explicitly reject newline (\\n), carriage return (\\r), and other shell metacharacters such as $.'}, {'type': 'list_item', 'content': 'Replace shell command execution with native API calls (e.g., using libuci) to avoid invoking shell interpreters.'}, {'type': 'list_item', 'content': 'Enforce strict input length limits to reduce the complexity of potential payloads.'}, {'type': 'paragraph', 'content': 'If possible, update the router firmware to a version that addresses this vulnerability or replace the affected device with a secure alternative.'}] [2, 4]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2155. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart