CVE-2026-2129 in DIR-823X
Summary
by MITRE • 02/08/2026
A vulnerability was found in D-Link DIR-823X 250416. Affected by this issue is some unknown functionality of the file /goform/set_ac_status. Performing a manipulation of the argument ac_ipaddr/ac_ipstatus/ap_randtime results in os command injection. The attack may be initiated remotely. The exploit has been made public and could be used.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 02/09/2026
The vulnerability identified as CVE-2026-2129 represents a critical command injection flaw within the D-Link DIR-823X 250416 router firmware, specifically affecting the /goform/set_ac_status endpoint. This issue stems from inadequate input validation and sanitization within the web interface form processing functionality, creating a pathway for malicious actors to execute arbitrary operating system commands on the affected device. The vulnerability manifests when attackers manipulate the ac_ipaddr, ac_ipstatus, and ap_randtime parameters, which are processed without proper security controls that would normally prevent command injection attacks. The affected router model is particularly concerning as it represents a consumer-grade device that typically operates within home or small office networks, potentially exposing these environments to significant security risks.
The technical exploitation of this vulnerability follows established patterns of OS command injection attacks, where user-supplied input is directly incorporated into system commands without proper sanitization. This flaw aligns with CWE-77 and CWE-88, which specifically address command injection vulnerabilities where attacker-controllable data is used in system command execution contexts. The attack vector is remote, meaning that an unauthenticated attacker can potentially exploit this vulnerability from outside the local network, making the impact significantly more severe than local exploitation scenarios. The fact that the exploit has been made publicly available indicates that this vulnerability is not merely theoretical but represents an active threat that security researchers and malicious actors alike can leverage to compromise affected devices.
The operational impact of this vulnerability extends beyond simple unauthorized command execution, as it provides attackers with complete control over the affected router's operating system. This level of access enables adversaries to modify network configurations, redirect traffic, establish persistent backdoors, or use the compromised device as a pivot point for attacking other systems within the local network. The compromised device could be used to launch further attacks, create botnets, or serve as a command and control node in larger attack campaigns. Network administrators should be particularly concerned about the potential for these devices to be used in distributed denial-of-service attacks or to provide covert communication channels for malware distribution. The vulnerability's presence in a consumer-grade router also means that typical network security measures such as firewalls or intrusion detection systems may not adequately protect against this specific threat vector.
Mitigation strategies for this vulnerability should include immediate firmware updates from D-Link, if available, and network segmentation to limit the potential impact of successful exploitation. Network administrators should implement strict access controls and monitoring to detect unusual network traffic patterns that might indicate exploitation attempts. The use of network intrusion prevention systems with signature-based detection capabilities can help identify and block known exploitation patterns for this vulnerability. Additionally, organizations should consider disabling unnecessary web management interfaces and implementing robust network access controls to prevent unauthorized access to router management functions. The vulnerability's classification as a remote command injection flaw makes it particularly dangerous in environments where physical security of network devices cannot be guaranteed, emphasizing the need for comprehensive security measures beyond traditional perimeter defenses.