CVE-2026-2163
Remote Command Injection in D-Link DIR-600 ssdp.cgi
Publication date: 2026-02-08
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dlink | dir-600_firmware | to 2.15wwb02 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-2163 is a command injection vulnerability found in the D-Link DIR-600 router, specifically in versions up to 2.15WWb02. The flaw exists in the ssdp.cgi file, where certain arguments such as HTTP_ST, REMOTE_ADDR, REMOTE_PORT, or SERVER_ID can be manipulated by an attacker. This manipulation allows the attacker to inject and execute arbitrary system commands on the device because the router improperly handles these inputs without neutralizing special characters.
The vulnerability requires remote access and an enhanced level of authentication to exploit. A proof-of-concept exploit is publicly available, making it easier for attackers to leverage this flaw. The affected product is no longer supported by the vendor, and no official mitigations or patches have been released.
How can this vulnerability impact me? :
This vulnerability can severely impact the confidentiality, integrity, and availability of the affected device. An attacker exploiting this flaw can execute arbitrary commands remotely, potentially gaining control over the router.
- Compromise of device control, including the ability to run malicious commands.
- Potential establishment of reverse shells or persistent backdoors.
- Disruption of network services or device availability.
- Exposure of sensitive network information passing through the router.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability involves command injection via manipulation of HTTP_ST, REMOTE_ADDR, REMOTE_PORT, or SERVER_ID arguments in the ssdp.cgi file of the D-Link DIR-600 router firmware up to version 2.15WWb02.'}, {'type': 'paragraph', 'content': 'Detection can involve monitoring network traffic for suspicious HTTP requests targeting the ssdp.cgi endpoint with unusual or crafted parameters in HTTP_ST, REMOTE_ADDR, REMOTE_PORT, or SERVER_ID.'}, {'type': 'paragraph', 'content': 'Since the exploit requires authentication with elevated privileges, checking for unauthorized or suspicious authenticated sessions on the router may help.'}, {'type': 'list_item', 'content': 'Use network packet capture tools (e.g., tcpdump or Wireshark) to filter HTTP requests to ssdp.cgi and inspect parameters for suspicious command injection patterns.'}, {'type': 'list_item', 'content': "Example tcpdump command to capture HTTP requests to ssdp.cgi: tcpdump -i <interface> -A 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep ssdp.cgi"}, {'type': 'list_item', 'content': 'Check router logs for unusual commands or errors related to ssdp.cgi or unexpected system command executions.'}, {'type': 'paragraph', 'content': 'Note that no specific detection commands or tools are published for this vulnerability, and the affected product is no longer supported.'}] [1, 3]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The affected D-Link DIR-600 devices with firmware up to 2.15WWb02 are no longer supported by the vendor, and no official mitigations or patches are available.'}, {'type': 'paragraph', 'content': 'Immediate mitigation steps include:'}, {'type': 'list_item', 'content': 'Replace the vulnerable device with a supported and updated router model from a trusted vendor.'}, {'type': 'list_item', 'content': "Restrict network access to the router's management interface to trusted hosts only, preferably via network segmentation or firewall rules."}, {'type': 'list_item', 'content': 'Disable remote management features if enabled to reduce exposure to remote exploitation.'}, {'type': 'list_item', 'content': 'Monitor network traffic and router logs for signs of exploitation attempts.'}, {'type': 'paragraph', 'content': 'Because the exploit requires authentication with elevated privileges, ensure strong authentication credentials and consider changing default passwords.'}] [1]