Login Sign Up

CVE-2026-2063

4.7 MEDIUM
Remote Code Execution

📋 TL;DR

This CVE describes an OS command injection vulnerability in D-Link DIR-823X routers. Attackers can execute arbitrary commands remotely by manipulating the 'ac_server' parameter in the web management interface. This affects all users of vulnerable D-Link DIR-823X routers with the web interface exposed.

💻 Affected Systems

Products:
  • D-Link DIR-823X
Versions: Firmware version 250416
Operating Systems: Embedded Linux
Default Config Vulnerable: ⚠️ Yes
Notes: The web management interface is typically enabled by default. The vulnerability is in the /goform/set_ac_server endpoint.

📦 What is this software?

Dir 823x Firmware by Dlink

View all CVEs affecting Dir 823x Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the router allowing attackers to install persistent backdoors, intercept network traffic, pivot to internal networks, or brick the device.

🟠

Likely Case

Attackers gain shell access to the router, modify configurations, steal credentials, or use the router as a foothold for further attacks.

🟢

If Mitigated

Limited impact if the web interface is not internet-facing and network segmentation prevents lateral movement from compromised routers.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploit code is publicly available on GitHub. The vulnerability requires no authentication and has simple exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.dlink.com/

Restart Required: No

Instructions:

1. Check D-Link website for firmware updates. 2. Download appropriate firmware. 3. Log into router web interface. 4. Navigate to firmware update section. 5. Upload and apply new firmware.

🔧 Temporary Workarounds

Disable Web Management Interface

all

Prevent access to the vulnerable endpoint by disabling the web interface entirely

Restrict Web Interface Access

all

Configure firewall rules to only allow web interface access from trusted IP addresses

🧯 If You Can't Patch

  • Segment router management interface to isolated VLAN
  • Implement strict network monitoring for unusual traffic from router

🔍 How to Verify

Check if Vulnerable:

Check if router responds to requests at /goform/set_ac_server with ac_server parameter containing command injection payloads

Check Version:

Log into router web interface and check firmware version in system status

Verify Fix Applied:

Test if command injection payloads no longer execute when sent to the vulnerable endpoint

📡 Detection & Monitoring

Log Indicators:

  • Unusual POST requests to /goform/set_ac_server
  • Commands containing shell metacharacters in ac_server parameter
  • Unexpected processes spawned from router

Network Indicators:

  • Outbound connections from router to unexpected destinations
  • Unusual traffic patterns from router management IP

SIEM Query:

source_ip=router_ip AND (uri_path="/goform/set_ac_server" OR cmd="sh" OR cmd="bash")

📊 Metadata

CVE ID: CVE-2026-2063
CVSS v3 Score: 4.7 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-77
EPSS Score: 0.19% exploit probability (41.3th percentile)
Published: February 6, 2026
Last Updated: February 11, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-2063, you might also want to check these:

CVE-2024-48841 10.0

This critical vulnerability in FLXEON software allows remote attackers to execute arbitrary code wit...

Same vulnerability type (CWE-77)
CVE-2025-59818 10.0

This vulnerability allows authenticated attackers to execute arbitrary system commands by manipulati...

Same vulnerability type (CWE-77)
CVE-2024-28354 10.0

This is a critical command injection vulnerability in TRENDnet TEW-827DRU routers that allows remote...

Same vulnerability type (CWE-77)