CVE-2026-8345: D-Link DIR-816 Firmware RCE Vulnerability

CVE-2026-8345 Overview

CVE-2026-8345 is a command injection vulnerability in the D-Link DIR-816 router running firmware version 1.10CNB05_R1B011D88210. The flaw resides in the sub_445E7C function handling requests to /goform/singlePortForward. Attackers can manipulate the ip_address parameter to inject arbitrary operating system commands. The issue is classified under CWE-74 (Improper Neutralization of Special Elements in Output). The exploit has been publicly disclosed, increasing the risk of opportunistic abuse against exposed devices. The D-Link DIR-816 is an end-of-life consumer router, which limits vendor remediation options.

Critical Impact

Authenticated attackers can remotely inject operating system commands into the router's port-forwarding configuration handler, potentially gaining control over the device.

Affected Products

• D-Link DIR-816 hardware revision A2
• D-Link DIR-816 firmware 1.10CNB05_R1B011D88210
• Deployments exposing the web management interface to untrusted networks

Discovery Timeline

• 2026-05-11 - CVE-2026-8345 published to NVD
• 2026-05-12 - Last updated in NVD database

Technical Details for CVE-2026-8345

Vulnerability Analysis

The DIR-816 web management interface exposes a port-forwarding endpoint at /goform/singlePortForward. The handler function sub_445E7C reads the user-controlled ip_address argument and incorporates it into a shell command without sanitization. Because the input is concatenated directly into a system call, shell metacharacters such as ;, |, and backticks are interpreted by the underlying shell. Successful injection executes commands with the privileges of the web server process, which on consumer router firmware typically runs as root. The attack is reachable over the network and requires only low privileges, consistent with the device's authenticated administrative interface. EPSS data places the probability of exploitation at 0.089% with a percentile of 25.18 as of 2026-05-17.

Root Cause

The root cause is improper neutralization of special elements passed to a downstream component [CWE-74]. The ip_address parameter is treated as trusted input and passed to a command interpreter without validation, escaping, or use of a safe execution API. No allowlist for IP address formatting is enforced before the value reaches the shell.

Attack Vector

An attacker submits a crafted HTTP POST request to /goform/singlePortForward with an ip_address value containing shell metacharacters followed by an arbitrary command. The web server invokes the handler, builds a shell command string, and executes the attacker payload. Because exploitation occurs through the standard management interface, any path that exposes the web UI to attackers — including LAN-side foothold devices or misconfigured WAN exposure — enables the attack.

No verified public exploit code is referenced in the advisory. See the GitHub IoT Bug Report and the VulDB Vulnerability #362661 entries for the original technical write-up.

Detection Methods for CVE-2026-8345

Indicators of Compromise

• HTTP POST requests to /goform/singlePortForward containing shell metacharacters such as ;, &&, |, or backticks in the ip_address field
• Outbound connections from the router to unfamiliar hosts shortly after configuration changes
• Unexpected processes, cron entries, or modified startup scripts on the device

Detection Strategies

• Inspect web server and access logs on the router for malformed ip_address values that do not match a strict IPv4 pattern
• Monitor network telemetry for anomalous router-originated traffic, particularly DNS lookups or outbound shells to non-RFC1918 destinations
• Apply network IDS signatures that flag command injection patterns targeting /goform/ endpoints common to D-Link firmware

Monitoring Recommendations

• Aggregate router syslog output to a central SIEM or data lake for retention and correlation
• Alert on configuration changes to port forwarding rules that originate from unexpected source addresses
• Track repeated authentication attempts against the router admin interface as a precursor to exploitation

How to Mitigate CVE-2026-8345

Immediate Actions Required

• Disable remote (WAN) management on the DIR-816 if it is enabled
• Restrict access to the LAN-side management interface using firewall rules or VLAN segmentation
• Change default administrator credentials and enforce a strong password to limit access to the vulnerable endpoint
• Plan migration to a supported router platform, as the DIR-816 is no longer actively maintained

Patch Information

No vendor patch is referenced in the advisory data. The DIR-816 line is end-of-life for most regions, and D-Link has not published a fix for firmware 1.10CNB05_R1B011D88210 in the cited references. Consult the D-Link Official Website for any regional firmware updates or replacement guidance.

Workarounds

• Block external access to TCP ports 80 and 443 on the router's WAN interface
• Place the router's management interface behind a VPN reachable only by trusted administrators
• Remove or restrict accounts that have access to the port-forwarding configuration page
• Replace the device with a vendor-supported router that receives security updates

# Example: restrict router admin interface to a single trusted host on the LAN
# Run on an upstream firewall, not the vulnerable router itself
iptables -A FORWARD -p tcp -d 192.0.2.1 --dport 80  -s 192.0.2.50 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.0.2.1 --dport 443 -s 192.0.2.50 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.0.2.1 --dport 80  -j DROP
iptables -A FORWARD -p tcp -d 192.0.2.1 --dport 443 -j DROP