CVE-2026-4499
Received Received - Intake
OS Command Injection in D-Link DIR-820LW SSDP Component

Publication date: 2026-03-20

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was determined in D-Link DIR-820LW 2.03. Affected is the function ssdpcgi_main of the component SSDP. Executing a manipulation can lead to os command injection. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-20
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-03-20
EPSS Evaluated
2026-06-15
NVD
CVE-2026-4499
EUVD
EUVD-2026-13800
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
dlink dir-820lw_firmware 2.03
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

The vulnerability allows a remote attacker to execute arbitrary operating system commands on the affected router without any authentication or user interaction. This can lead to unauthorized control over the device, potentially allowing the attacker to disrupt network operations, steal sensitive information, or use the device as a foothold for further attacks.

Compliance Impact

I don't know

Executive Summary

[{'type': 'paragraph', 'content': "This vulnerability exists in the D-Link DIR-820LW router, specifically in the 'ssdpcgi_main' function of the SSDP component. It is an OS command injection flaw that occurs because the 'HTTP_ST' environment variable is improperly handled. An attacker can exploit this by injecting arbitrary operating system commands remotely, which the device then executes."}] [1]

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability in the D-Link DIR-820LW router firmware version B2.03 is exploitable via the 'HTTP_ST' environment variable in the 'ssdpcgi_main' function, allowing OS command injection."}, {'type': 'paragraph', 'content': "To detect this vulnerability on your network or system, you can monitor HTTP requests to the router for suspicious or malformed 'HTTP_ST' headers that may attempt command injection."}, {'type': 'paragraph', 'content': "A practical approach is to use network traffic analysis tools like tcpdump or Wireshark to capture HTTP traffic to the router and filter for unusual 'HTTP_ST' header values."}, {'type': 'paragraph', 'content': "Example command to capture HTTP traffic on the router's IP (replace <router_ip> with actual IP):"}, {'type': 'list_item', 'content': 'tcpdump -i any host <router_ip> and tcp port 80 -A | grep HTTP_ST'}, {'type': 'paragraph', 'content': "Additionally, you can attempt to send crafted HTTP requests with injected commands in the 'HTTP_ST' header to test if the device is vulnerable, but only in a controlled and authorized environment."}] [1]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'Immediate mitigation steps for this OS command injection vulnerability in the D-Link DIR-820LW router include:'}, {'type': 'list_item', 'content': "Restrict remote access to the router's management interface to trusted networks only."}, {'type': 'list_item', 'content': 'Disable or limit SSDP services if not required, as the vulnerability is in the SSDP component.'}, {'type': 'list_item', 'content': "Monitor network traffic for suspicious HTTP requests targeting the 'HTTP_ST' environment variable."}, {'type': 'list_item', 'content': 'Apply any available firmware updates or patches from D-Link addressing this vulnerability once released.'}, {'type': 'list_item', 'content': 'If no patch is available, consider isolating the device from untrusted networks to prevent remote exploitation.'}] [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4499. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart