CVE-2026-2129 - Vulnerability Details

- D-Link DIR-823X set_ac_status os command injection

Description

A vulnerability was found in D-Link DIR-823X 250416. Affected by this issue is some unknown functionality of the file /goform/set_ac_status. Performing a manipulation of the argument ac_ipaddr/ac_ipstatus/ap_randtime results in os command injection. The attack may be initiated remotely. The exploit has been made public and could be used.

Published: 2026-02-08

Score: 8.6 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The flaw exists in the /goform/set_ac_status API of the D-Link DIR-823X router when the parameters ac_ipaddr, ac_ipstatus, or ap_randtime are supplied with crafted values. These inputs are not properly sanitized, allowing an attacker to inject arbitrary operating system commands. If successful, the attacker could execute code with the privileges of the router, potentially gaining full control over the device and the network segment it serves. The weakness is categorized as CWE‑77 and CWE‑78 – command injection and OS command execution.

Affected Systems

The affected hardware is the D-Link DIR‑823X router running firmware version 250416. No additional versions are specified as vulnerable in the CNA data, so only this build should be investigated and remedied.

Risk and Exploitability

Scored with a CVSS base of 8.6, the vulnerability is considered critical. The EPSS score is below 1 %, indicating a very low projected exploitation probability at this time. However, the exploit has already been made public and the router is exposed to remote management by default, making the risk more acute for exposed installations. The vulnerability is not yet listed in the CISA KEV catalog, but administrators should treat it as high risk until a vendor patch is applied.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

D-Link

DIR-823X

affected

Version	Status	Constraints
`250416`	affected	—

Configuration 1 [-]

AND

cpe:2.3:o:dlink:dir-823x_firmware:250416:*:*:*:*:*:*:*

cpe:2.3:h:dlink:dir-823x:-:*:*:*:*:*:*:*

No data.

Vendor	Product	Confidence	Versions
D-link	Dir-823x	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the router firmware to the latest version released by D‑Link that fixes the command injection issue.
If an update is not immediately available, isolate the device by restricting remote management to a trusted internal subnet or disable the web interface from external networks.
Configure firewall or ACL rules to block traffic to the /goform/set_ac_status endpoint from untrusted sources.

Generated by OpenCVE AI on April 17, 2026 at 22:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Multiple

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

This CVE is not in the KEV list.

The EPSS score is 0.00115.

Exploitation poc

Automatable no

Technical Impact total

References

Link	Providers
https://github.com/master-abc/cve/issues/23
https://vuldb.com/?ctiid.344764
https://vuldb.com/?id.344764
https://vuldb.com/?submit.746935
https://www.dlink.com/

History

Wed, 11 Feb 2026 19:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Dlink Dlink dir-823x Dlink dir-823x Firmware
CPEs		cpe:2.3:h:dlink:dir-823x:-:::::::* cpe:2.3:o:dlink:dir-823x_firmware:250416:::::::*
Vendors & Products		Dlink Dlink dir-823x Dlink dir-823x Firmware

Tue, 10 Feb 2026 22:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Mon, 09 Feb 2026 11:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		D-link D-link dir-823x
Vendors & Products		D-link D-link dir-823x

Sun, 08 Feb 2026 02:00:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was found in D-Link DIR-823X 250416. Affected by this issue is some unknown functionality of the file /goform/set_ac_status. Performing a manipulation of the argument ac_ipaddr/ac_ipstatus/ap_randtime results in os command injection. The attack may be initiated remotely. The exploit has been made public and could be used.
Title		D-Link DIR-823X set_ac_status os command injection
Weaknesses		CWE-77 CWE-78
References		https://github.com/master-abc/cve/issues/23 https://vuldb.com/?ctiid.344764 https://vuldb.com/?id.344764 https://vuldb.com/?submit.746935 https://www.dlink.com/
Metrics		cvssV2_0 `{'score': 8.3, 'vector': 'AV:N/AC:L/Au:M/C:C/I:C/A:C/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 7.2, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

D-link Dir-823x

Dlink Dir-823x Dir-823x Firmware

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-02-08T01:32:08.746Z

Updated: 2026-02-23T09:36:41.482Z

Reserved: 2026-02-06T20:45:52.197Z

Link: CVE-2026-2129

Vulnrichment

Updated: 2026-02-10T21:16:01.430Z

NVD

Status : Analyzed

Published: 2026-02-08T02:15:56.853

Modified: 2026-02-11T18:59:14.750

Link: CVE-2026-2129

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-17T22:15:29Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Multiple

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

Exploitation poc

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object