Login Sign Up

CVE-2026-3485

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

This CVE describes a remote command injection vulnerability in D-Link DIR-868L routers via the SSDP service. Attackers can execute arbitrary operating system commands by manipulating the ST argument, potentially leading to complete device compromise. Only affects products no longer supported by the manufacturer.

💻 Affected Systems

Products:
  • D-Link DIR-868L
Versions: 110b03 firmware version
Operating Systems: Embedded Linux
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects devices with SSDP service enabled (default). Products are end-of-life with no vendor support.

📦 What is this software?

Dir 868l Firmware by Dlink

View all CVEs affecting Dir 868l Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full router compromise allowing attacker to intercept all network traffic, install persistent malware, pivot to internal networks, and brick the device.

🟠

Likely Case

Router takeover leading to DNS hijacking, credential theft from network traffic, and installation of botnet malware.

🟢

If Mitigated

Limited impact if device is isolated from internet and internal networks, though local network attacks remain possible.

🌐 Internet-Facing: HIGH
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploit code is publicly available and requires no authentication. Attack can be launched remotely over network.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: None

Vendor Advisory: https://www.dlink.com/

Restart Required: No

Instructions:

No official patch available. Device is end-of-life. Replace with supported hardware.

🔧 Temporary Workarounds

Disable SSDP Service

all

Turn off SSDP (Simple Service Discovery Protocol) service to prevent exploitation

Login to router admin interface
Navigate to Advanced > Network > UPnP
Disable UPnP/SSDP service
Save and reboot

Network Segmentation

all

Isolate vulnerable router from critical internal networks

Place router in DMZ or separate VLAN
Configure firewall rules to restrict router access
Disable WAN management if enabled

🧯 If You Can't Patch

  • Immediately replace affected D-Link DIR-868L routers with supported hardware
  • Implement strict network segmentation and firewall rules to isolate vulnerable devices

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in admin interface. If version is 110b03 and SSDP is enabled, device is vulnerable.

Check Version:

Login to router web interface and check Firmware Version under Status or System Information

Verify Fix Applied:

Verify SSDP service is disabled in router settings and test with network scan tools (nmap -sU -p 1900) to confirm service not responding.

📡 Detection & Monitoring

Log Indicators:

  • Unusual SSDP traffic patterns
  • Multiple connection attempts to port 1900
  • Router configuration changes not initiated by admin

Network Indicators:

  • SSDP M-SEARCH requests with unusual ST parameters
  • Outbound connections from router to suspicious IPs
  • Sudden changes in router DNS settings

SIEM Query:

source="router.log" AND ("SSDP" OR "port 1900") AND ("M-SEARCH" OR "ST:") | stats count by src_ip

📊 Metadata

CVE ID: CVE-2026-3485
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-77
Published: March 3, 2026
Last Updated: March 4, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-3485, you might also want to check these:

CVE-2024-48841 10.0

This critical vulnerability in FLXEON software allows remote attackers to execute arbitrary code wit...

Same vulnerability type (CWE-77)
CVE-2025-59818 10.0

This vulnerability allows authenticated attackers to execute arbitrary system commands by manipulati...

Same vulnerability type (CWE-77)
CVE-2024-28354 10.0

This is a critical command injection vulnerability in TRENDnet TEW-827DRU routers that allows remote...

Same vulnerability type (CWE-77)