Login Sign Up

CVE-2026-2081

4.7 MEDIUM
Remote Code Execution

📋 TL;DR

This CVE describes an OS command injection vulnerability in D-Link DIR-823X routers via the /goform/set_password endpoint. Attackers can remotely execute arbitrary commands by manipulating the http_passwd parameter. All users of affected D-Link DIR-823X routers with firmware version 250416 are vulnerable.

💻 Affected Systems

Products:
  • D-Link DIR-823X
Versions: Firmware version 250416
Operating Systems: Embedded Linux/RTOS
Default Config Vulnerable: ⚠️ Yes
Notes: All devices running the vulnerable firmware version are affected regardless of configuration.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:
  1. Review the CVE details at NVD
  2. Check vendor security advisories for your specific version
  3. Test if the vulnerability is exploitable in your environment
  4. Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise allowing attackers to install persistent backdoors, intercept network traffic, pivot to internal networks, or brick the device.

🟠

Likely Case

Attackers gain unauthorized access to router configuration, modify network settings, intercept traffic, or use the device as a foothold for further attacks.

🟢

If Mitigated

Limited impact with proper network segmentation and access controls preventing lateral movement from compromised router.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable and affects internet-facing routers directly exposed to attackers.
🏢 Internal Only: MEDIUM - Internal routers could be targeted through phishing or compromised internal hosts, but require initial access.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public exploit details available on GitHub and VulDB, making exploitation straightforward for attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: Yes

Instructions:

1. Check D-Link support site for firmware updates
2. Download latest firmware if available
3. Upload firmware via router admin interface
4. Reboot router after update

🔧 Temporary Workarounds

Disable remote administration

all

Prevent external access to router administration interface

Network segmentation

all

Isolate router management interface to separate VLAN

🧯 If You Can't Patch

  • Replace affected routers with supported models
  • Implement strict firewall rules blocking access to port 80/443 from untrusted networks

🔍 How to Verify

Check if Vulnerable:

Check router firmware version via admin interface. If version is 250416, device is vulnerable.

Check Version:

Check via router web interface at http://[router-ip]/ or using curl: curl -s http://[router-ip]/

Verify Fix Applied:

Verify firmware version has been updated to a version newer than 250416.

📡 Detection & Monitoring

Log Indicators:

  • Unusual POST requests to /goform/set_password
  • Suspicious command execution in system logs
  • Multiple failed login attempts

Network Indicators:

  • Unusual outbound connections from router
  • Traffic to known malicious IPs
  • Port scanning originating from router

SIEM Query:

source="router-logs" AND (uri="/goform/set_password" OR command="*sh*" OR process="*bin*sh*")

📊 Metadata

CVE ID: CVE-2026-2081
CVSS v3 Score: 4.7 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-77
EPSS Score: 0.18% exploit probability (39.3th percentile)
Published: February 7, 2026
Last Updated: February 9, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-2081, you might also want to check these:

CVE-2024-48841 10.0

This critical vulnerability in FLXEON software allows remote attackers to execute arbitrary code wit...

Same vulnerability type (CWE-77)
CVE-2025-59818 10.0

This vulnerability allows authenticated attackers to execute arbitrary system commands by manipulati...

Same vulnerability type (CWE-77)
CVE-2024-28354 10.0

This is a critical command injection vulnerability in TRENDnet TEW-827DRU routers that allows remote...

Same vulnerability type (CWE-77)