CVE-2026-2175
OS Command Injection in D-Link DIR-823X UPnP Remote Exploit
Publication date: 2026-02-08
Last updated on: 2026-02-11
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dlink | dir-823x_firmware | 250416 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-2175 is a remote OS command injection vulnerability found in the D-Link DIR-823X router, firmware version 250416. It affects the /goform/set_upnp endpoint, specifically the function sub_420618, which processes the upnp_enable parameter. The vulnerability arises because the input validation fails to filter newline characters, allowing an authenticated attacker to inject newline characters that prematurely terminate the intended configuration command and append arbitrary shell commands.
These injected commands are executed with root privileges, giving the attacker full control over the device. The attack requires authentication but can be performed remotely. A proof-of-concept exploit is publicly available, making exploitation easier.
How can this vulnerability impact me? :
This vulnerability allows an authenticated attacker to execute arbitrary OS commands with root privileges on the affected router. This can lead to complete compromise of the device, including unauthorized access, modification, or disruption of network traffic.
- Full control over the router device.
- Compromise of confidentiality, integrity, and availability of the device.
- Potential for further attacks on the internal network.
- No known mitigations currently exist, increasing risk.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by testing the /goform/set_upnp endpoint on the D-Link DIR-823X router firmware version 250416 for command injection via the upnp_enable parameter.'}, {'type': 'paragraph', 'content': 'Detection involves sending authenticated POST requests to the /goform/set_upnp endpoint with specially crafted payloads that include newline characters to attempt command injection.'}, {'type': 'paragraph', 'content': 'A proof-of-concept Python script exists that performs the following steps: authenticates to the router, injects commands via the upnp_enable parameter, and verifies command execution (e.g., by using sleep delays).'}, {'type': 'paragraph', 'content': 'Suggested detection commands or methods include:'}, {'type': 'list_item', 'content': 'Send an authenticated POST request to /goform/set_upnp with upnp_enable set to a payload like: 1"\\n\\necho test_command'}, {'type': 'list_item', 'content': 'Observe if the injected command (e.g., echo test_command) is executed on the device, indicating vulnerability.'}, {'type': 'list_item', 'content': 'Use the PoC Python script from Resource 3 to automate detection by performing login, token retrieval, and payload injection.'}] [3]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'Currently, no official patches or vendor mitigations are available for this vulnerability.'}, {'type': 'paragraph', 'content': 'Immediate mitigation steps include:'}, {'type': 'list_item', 'content': "Restrict access to the router's management interface to trusted networks and users only, minimizing exposure."}, {'type': 'list_item', 'content': 'Disable remote management features if possible to prevent remote exploitation.'}, {'type': 'list_item', 'content': 'Implement strict input validation or filtering on the upnp_enable parameter if you have the capability to modify the firmware or configuration.'}, {'type': 'list_item', 'content': 'Replace the affected device with an alternative product that is not vulnerable.'}, {'type': 'paragraph', 'content': 'Suggested technical mitigations from Resource 3 include implementing strict whitelisting (allowing only 0 or 1 for upnp_enable), expanding blacklist filters to reject newline and other shell metacharacters, replacing shell command execution with native API calls, and adding rigorous input validation.'}] [2, 3]