Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-2175

CVE-2026-2175: D-Link DIR-823X Firmware RCE Vulnerability

CVE-2026-2175 is a remote code execution vulnerability in D-Link DIR-823X firmware caused by OS command injection in the set_upnp function. This article covers the technical details, affected versions, security impact, and mitigation.

Updated:

CVE-2026-2175 Overview

CVE-2026-2175 is an operating system command injection vulnerability affecting the D-Link DIR-823X router running firmware version 250416. The flaw resides in the sub_420618 function within the /goform/set_upnp endpoint. Attackers can manipulate the upnp_enable argument to inject arbitrary operating system commands. The vulnerability is exploitable remotely over the network, and proof-of-concept details have been disclosed publicly. Successful exploitation grants attackers command execution on the router with the privileges of the web service process. This compromises the integrity, confidentiality, and availability of the device and any traffic it routes.

Critical Impact

Remote attackers can execute arbitrary operating system commands on affected D-Link DIR-823X routers by manipulating the upnp_enable parameter, enabling full device takeover and pivot opportunities into connected networks.

Affected Products

  • D-Link DIR-823X router (hardware)
  • D-Link DIR-823X firmware version 250416
  • Networks exposing the /goform/set_upnp web management endpoint

Discovery Timeline

  • 2026-02-08 - CVE-2026-2175 published to the National Vulnerability Database
  • 2026-02-11 - Last updated in NVD database

Technical Details for CVE-2026-2175

Vulnerability Analysis

The vulnerability is an operating system command injection issue classified under [CWE-77] and [CWE-78]. It exists in the sub_420618 function that processes requests to the /goform/set_upnp endpoint on the D-Link DIR-823X router. The function handles the upnp_enable parameter without proper sanitization or validation before passing it to a system shell. Attackers can append shell metacharacters and arbitrary commands to the parameter value. The injected commands execute in the context of the web server process on the embedded Linux operating system. Given the router's role at the network perimeter, an attacker gains a strategic foothold for traffic interception, DNS manipulation, or lateral movement.

Root Cause

The root cause is improper neutralization of special elements used in an operating system command. The sub_420618 handler concatenates attacker-supplied input from upnp_enable directly into a shell command string. Embedded router firmware commonly invokes helper utilities through system() or popen() calls. Without input validation, characters such as ;, |, &&, and backticks allow command chaining.

Attack Vector

Exploitation requires network access to the router's web management interface and authenticated access at high privilege level. The attacker sends a crafted HTTP request to /goform/set_upnp containing malicious shell syntax within the upnp_enable parameter. The router processes the request, executes the injected command, and returns control to the attacker. Public disclosure of the technique increases the likelihood of opportunistic exploitation. See the GitHub Issue Discussion for technical reproduction details.

No verified exploit code is published in this advisory. Technical reproduction steps are documented in the VulDB entry #344876.

Detection Methods for CVE-2026-2175

Indicators of Compromise

  • HTTP POST requests to /goform/set_upnp containing shell metacharacters such as ;, |, &, or backticks in the upnp_enable parameter
  • Unexpected outbound connections originating from the router to attacker-controlled infrastructure
  • New or modified persistence artifacts in router NVRAM, such as altered rc.local or boot scripts
  • Unauthorized DNS configuration changes redirecting client lookups

Detection Strategies

  • Inspect HTTP traffic destined for router management interfaces for anomalous payloads targeting /goform/ endpoints
  • Deploy network intrusion detection signatures matching command injection patterns in UPnP configuration parameters
  • Correlate router log entries with downstream client behavior to identify post-compromise activity

Monitoring Recommendations

  • Forward router syslog data to a centralized logging or SIEM platform for retention and correlation
  • Alert on administrative configuration changes to UPnP services outside of approved maintenance windows
  • Monitor for firmware integrity changes and unexpected process execution on edge networking devices

How to Mitigate CVE-2026-2175

Immediate Actions Required

  • Restrict access to the router's web management interface to trusted internal hosts only
  • Disable remote administration on the WAN interface if it is currently enabled
  • Disable UPnP functionality if it is not required in the deployment environment
  • Rotate administrative credentials on all affected D-Link DIR-823X devices

Patch Information

At the time of publication, no vendor patch is referenced in the NVD entry for CVE-2026-2175. Administrators should monitor the D-Link Security Information portal for firmware updates addressing this issue and apply them when available.

Workarounds

  • Place affected routers behind a network segmentation boundary that blocks untrusted access to TCP port 80 and 443 on the management interface
  • Apply firewall rules to drop inbound requests to /goform/set_upnp from untrusted sources
  • Replace the DIR-823X with a supported model if a fixed firmware release is not made available

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne