CVE-2026-2210
OS Command Injection in D-Link DIR-823X /goform/set_filtering
Publication date: 2026-02-09
Last updated on: 2026-02-11
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dlink | dir-823x_firmware | 250416 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-2210 is a critical OS command injection vulnerability found in the D-Link DIR-823X router, version 250416. The flaw exists in the function sub_4211C8 within the /goform/set_filtering endpoint.
This vulnerability arises because the product constructs OS commands using externally influenced input without properly neutralizing special characters, allowing an attacker to inject arbitrary commands.
An authenticated attacker can exploit this flaw by injecting newline characters to bypass superficial filters and execute arbitrary shell commands with root privileges remotely.
The attack can be performed remotely and requires an enhanced level of authentication. The vulnerability is easily exploitable, with a publicly available proof-of-concept exploit.
How can this vulnerability impact me? :
Exploiting this vulnerability can compromise the confidentiality, integrity, and availability of the affected device.
An attacker who successfully exploits this flaw can execute arbitrary commands with root privileges, leading to full system compromise.
This may allow unauthorized control over the router, potentially disrupting network operations, stealing sensitive information, or using the device as a foothold for further attacks.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for suspicious requests sent to the /goform/set_filtering endpoint on the D-Link DIR-823X router, especially those containing unusual or malformed parameters such as ipaddr, macaddr, urladdr, and name with injected newline characters (\\n or 0x0A).'}, {'type': 'paragraph', 'content': 'Since the vulnerability involves OS command injection via crafted HTTP requests, detection can involve capturing and analyzing HTTP traffic to identify attempts to inject shell commands or bypass filters.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect exploitation attempts might include using network monitoring tools like tcpdump or Wireshark to filter HTTP POST requests to /goform/set_filtering, for example:'}, {'type': 'list_item', 'content': "tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep '/goform/set_filtering'"}, {'type': 'list_item', 'content': "Use grep or similar tools on web server logs to search for requests containing suspicious parameters or newline characters, e.g., grep -i 'set_filtering' /var/log/httpd/access_log | grep -P '\\\\n'"}, {'type': 'paragraph', 'content': 'Additionally, monitoring for unexpected root shell commands or unusual system behavior on the device may help detect exploitation.'}] [1, 2]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'No known countermeasures or patches have been identified for this vulnerability.'}, {'type': 'paragraph', 'content': 'The recommended immediate mitigation is to replace the affected D-Link DIR-823X router with an alternative device that is not vulnerable.'}, {'type': 'paragraph', 'content': "Since the exploit requires authenticated access with elevated privileges, restricting access to the router's management interface and enforcing strong authentication controls may reduce risk."}, {'type': 'paragraph', 'content': 'Monitoring network traffic and logs for exploitation attempts and isolating the device from untrusted networks can also help mitigate potential attacks.'}] [1, 4]