CVE-2026-2155
OS Command Injection in D-Link DIR-823X Configuration Handler
Publication date: 2026-02-08
Last updated on: 2026-02-11
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dlink | dir-823x_firmware | 250416 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-2155 is a remote OS command injection vulnerability found in the D-Link DIR-823X router, firmware version 250416. It occurs in the function sub_4208A0 of the /goform/set_dmz endpoint, which handles configuration changes related to DMZ settings.'}, {'type': 'paragraph', 'content': "The vulnerability arises because the router's backend fails to properly sanitize newline characters (\\n or 0x0A) in the user-supplied parameters dmz_host and dmz_enable. This allows an authenticated attacker to inject newline characters that truncate the original configuration command and append arbitrary shell commands."}, {'type': 'paragraph', 'content': "As a result, the attacker can execute arbitrary OS commands with root privileges remotely by exploiting this input sanitization flaw in the router's configuration interface."}] [1, 2, 3, 4]
How can this vulnerability impact me? :
This vulnerability allows an authenticated attacker to execute arbitrary shell commands with root privileges on the affected router remotely.
- Compromise of device confidentiality: attacker can access sensitive information stored or processed by the router.
- Integrity impact: attacker can modify router configurations or inject malicious commands.
- Availability impact: attacker can disrupt network services by restarting or disabling firewall or other critical components.
Because the exploit is publicly available, the risk of exploitation is high, making the device vulnerable to remote attacks that can lead to full device compromise.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by testing the /goform/set_dmz endpoint on the D-Link DIR-823X router (firmware 250416) for command injection via the dmz_host or dmz_enable parameters. An authenticated attacker can send crafted POST requests containing newline characters (\\n) in these parameters to check if arbitrary commands can be executed.'}, {'type': 'paragraph', 'content': 'A proof-of-concept involves sending a POST request with a payload that injects shell commands through dmz_host, for example by including newline characters to break the command context and execute arbitrary commands. Detection can also be done by observing unusual command execution or response timing delays caused by injected commands such as sleep.'}, {'type': 'paragraph', 'content': 'Suggested detection commands include using curl or similar tools to send authenticated POST requests to the /goform/set_dmz endpoint with payloads like:'}, {'type': 'list_item', 'content': 'curl -X POST -d \'dmz_host=192.168.1.100"\\n\\necho vulnerable\' -b \'auth_cookie=token\' http://<router_ip>/goform/set_dmz'}, {'type': 'list_item', 'content': 'Using timing-based detection by injecting commands such as sleep to observe response delays.'}, {'type': 'paragraph', 'content': 'Authentication is required to perform these tests, as the vulnerability requires authenticated access.'}] [2]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': "Immediate mitigation steps include restricting access to the affected router's management interface to trusted users only, ensuring strong authentication credentials are in place, and disabling remote management if not needed."}, {'type': 'paragraph', 'content': 'From a technical perspective, suggested mitigations are:'}, {'type': 'list_item', 'content': 'Implement strict input validation by whitelisting dmz_host to only allow valid IPv4 addresses and restricting dmz_enable to values 0 or 1.'}, {'type': 'list_item', 'content': 'Enhance input sanitization to explicitly reject newline (\\n), carriage return (\\r), and other shell metacharacters such as $.'}, {'type': 'list_item', 'content': 'Replace shell command execution with native API calls (e.g., using libuci) to avoid invoking shell interpreters.'}, {'type': 'list_item', 'content': 'Enforce strict input length limits to reduce the complexity of potential payloads.'}, {'type': 'paragraph', 'content': 'If possible, update the router firmware to a version that addresses this vulnerability or replace the affected device with a secure alternative.'}] [2, 4]