CVE-2026-2120 in DIR-823X
Summary
by MITRE • 02/08/2026
A vulnerability was identified in D-Link DIR-823X 250416. This affects an unknown function of the file /goform/set_server_settings of the component Configuration Parameter Handler. The manipulation of the argument terminal_addr/server_ip/server_port leads to os command injection. The attack may be initiated remotely. The exploit is publicly available and might be used.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 02/09/2026
The vulnerability CVE-2026-2120 represents a critical command injection flaw in D-Link DIR-823X 250416 routers that resides within the Configuration Parameter Handler component. This issue specifically affects the /goform/set_server_settings file which processes user-supplied parameters for terminal address, server IP, and server port configurations. The vulnerability stems from inadequate input validation and sanitization within the web interface form handler, creating a pathway for malicious actors to execute arbitrary operating system commands on the affected device. The flaw operates at the application layer and demonstrates a classic lack of proper parameter filtering that allows attackers to bypass normal security controls.
The technical exploitation of this vulnerability occurs through the manipulation of specific arguments within the set_server_settings form handler, where the terminal_addr, server_ip, and server_port parameters are directly incorporated into system commands without proper sanitization. This type of vulnerability maps directly to CWE-77 which defines improper neutralization of special elements used in OS commands, and aligns with ATT&CK technique T1059.001 for command and scripting interpreter. The attack surface is particularly concerning as it enables remote code execution without requiring authentication, making it accessible to any attacker who can reach the device's web interface. The publicly available exploit demonstrates that this vulnerability has already been weaponized in the wild, increasing the risk profile significantly.
The operational impact of this vulnerability extends beyond simple unauthorized access, as successful exploitation allows attackers to gain full control over the affected router's operating system. This includes the ability to modify network configurations, establish persistent backdoors, redirect traffic, or use the device as a pivot point for attacking other systems within the local network. The compromised device could serve as a launchpad for broader network infiltration, potentially enabling attackers to access connected IoT devices, workstations, or corporate networks. Additionally, the router's role as a gateway device means that any compromise could result in complete network exposure and data exfiltration capabilities.
Mitigation strategies for CVE-2026-2120 should prioritize immediate firmware updates from D-Link, as this represents the most effective defense against the vulnerability. Network segmentation and access control measures should be implemented to limit exposure of affected devices to untrusted networks. The implementation of web application firewalls and intrusion detection systems can help detect and block exploitation attempts. Security monitoring should focus on unusual network traffic patterns or command execution attempts that may indicate exploitation. Organizations should also conduct comprehensive network assessments to identify all affected D-Link DIR-823X devices and ensure proper network access controls are in place to prevent unauthorized access to administrative interfaces. The vulnerability's remote exploitability and public availability necessitates urgent remediation actions across all affected deployments.