Cyber Resilience

CVE-2023-26822

CriticalPublic PoCRCE

Published: 01 April 2023

Published
01 April 2023
Modified
11 February 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.2566 96.4th percentile
Risk Priority 35 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-26822 is a critical-severity Command Injection (CWE-77) vulnerability in Dlink Go-Rt-Ac750 Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 3.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

D-Link Go-RT-AC750 revA_v101b03 contains a command injection vulnerability via the service parameter at soapcgi.main. The flaw is tracked as CVE-2023-26822, carries a CVSS 3.1 base score of 9.8, and is associated with CWE-77.

An unauthenticated attacker with network access can supply crafted input to the affected SOAP endpoint and execute arbitrary commands on the device, resulting in full control over confidentiality, integrity, and availability without requiring user interaction.

Public references consist of a D-Link security bulletin page and a GitHub repository containing a technical description of the issue. The EPSS score is recorded at 0.2566 with no material change from its observed peak.

EU & UK References

Vulnerability details

D-Link Go-RT-AC750 revA_v101b03 was discovered to contain a command injection vulnerability via the service parameter at soapcgi.main.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

dlink
go-rt-ac750 firmware
reva_v101b03

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References