CVE-2026-2061 - Vulnerability Details

- D-Link DIR-823X set_ipv6 sub_424D20 os command injection

Description

A vulnerability was determined in D-Link DIR-823X 250416. Affected by this issue is the function sub_424D20 of the file /goform/set_ipv6. Executing a manipulation can lead to os command injection. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized.

Published: 2026-02-06

Score: 5.1 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A subroutine in the DIR-823X firmware’s /goform/set_ipv6 handler allows an attacker to inject and execute arbitrary operating‑system commands. The flaw is exploitable remotely, yielding full control over the device’s operating system. An attacker could compromise confidentiality, integrity, and availability by modifying system configuration, exfiltrating data, or using the router as a pivot for further attacks.

Affected Systems

The vulnerability exists in D-Link’s DIR-823X router running firmware build 250416. No other firmware revisions are known to be impacted.

Risk and Exploitability

The CVSS score of 5.1 indicates moderate severity, and the EPSS <1% suggests a low likelihood of exploitation in the wild. The vulnerability is not identified in CISA’s KEV catalog. Based on the description, the likely attack vector is via HTTP access to the device’s web interface and the ability to submit crafted parameters to the /goform/set_ipv6 endpoint. If it is reachable from external networks, an attacker could create a long‑lived backdoor or modify routing tables.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

D-Link

DIR-823X

affected

Version	Status	Constraints
`250416`	affected	—

Configuration 1 [-]

AND

cpe:2.3:o:dlink:dir-823x_firmware:250416:*:*:*:*:*:*:*

cpe:2.3:h:dlink:dir-832x:-:*:*:*:*:*:*:*

No data.

Vendor	Product	Confidence	Versions
D-link	Dir-823x	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply any available firmware update from D-Link that addresses the /goform/set_ipv6 command‑injection flaw.
If a firmware fix is not yet available, block or restrict remote access to the router’s web‑management interface, particularly the /goform/set_ipv6 endpoint, using firewall rules or local access controls.
Disable remote IPv6 configuration or remove the vulnerable endpoint from the web interface to eliminate the attack surface until a patch is applied.

Generated by OpenCVE AI on April 18, 2026 at 13:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Multiple

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00195.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/master-abc/cve/issues/20
https://vuldb.com/?ctiid.344621
https://vuldb.com/?id.344621
https://vuldb.com/?submit.744286
https://www.dlink.com/

History

Wed, 11 Feb 2026 19:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Dlink Dlink dir-823x Firmware Dlink dir-832x
CPEs		cpe:2.3:h:dlink:dir-832x:-:::::::* cpe:2.3:o:dlink:dir-823x_firmware:250416:::::::*
Vendors & Products		Dlink Dlink dir-823x Firmware Dlink dir-832x

Mon, 09 Feb 2026 11:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		D-link D-link dir-823x
Vendors & Products		D-link D-link dir-823x

Fri, 06 Feb 2026 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 06 Feb 2026 18:15:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was determined in D-Link DIR-823X 250416. Affected by this issue is the function sub_424D20 of the file /goform/set_ipv6. Executing a manipulation can lead to os command injection. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized.
Title		D-Link DIR-823X set_ipv6 sub_424D20 os command injection
Weaknesses		CWE-77 CWE-78
References		https://github.com/master-abc/cve/issues/20 https://vuldb.com/?ctiid.344621 https://vuldb.com/?id.344621 https://vuldb.com/?submit.744286 https://www.dlink.com/
Metrics		cvssV2_0 `{'score': 5.8, 'vector': 'AV:N/AC:L/Au:M/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 4.7, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

D-link Dir-823x

Dlink Dir-823x Firmware Dir-832x

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-02-06T18:02:09.216Z

Updated: 2026-02-23T09:26:45.939Z

Reserved: 2026-02-06T06:34:43.625Z

Link: CVE-2026-2061

Vulnrichment

Updated: 2026-02-06T18:49:00.343Z

NVD

Status : Analyzed

Published: 2026-02-06T18:16:00.513

Modified: 2026-02-11T19:04:07.420

Link: CVE-2026-2061

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T13:45:45Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Multiple

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object