Cyber Resilience

CVE-2026-0732

MediumPublic PoC

Published: 09 January 2026

Published
09 January 2026
Modified
14 January 2026
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0995 95.0th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-0732 is a medium-severity Injection (CWE-74) vulnerability in Dlink Di-8200G Firmware. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 5.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-0732 is a command injection vulnerability affecting the D-Link DI-8200G router running firmware version 17.12.20A1. The issue resides in an unknown function within the /upgrade_filter.asp file, where manipulation of the 'path' argument enables arbitrary command execution. Associated with CWE-74 (Improper Neutralization of Special Elements used in an SQL Command) and CWE-77 (Command Injection), it has a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), indicating medium severity.

The vulnerability can be exploited remotely by an attacker with low privileges (PR:L), requiring no user interaction and low attack complexity over the network. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, potentially enabling command execution on the device.

References include GitHub repositories detailing a proof-of-concept (PoC) for the command execution vulnerability and VulDB entries (ctiid.340129, id.340129, submit.733275) documenting the issue, though no specific patches or mitigation steps from vendor advisories are detailed in available sources.

The exploit has been made public and could be used, increasing the risk for unpatched D-Link DI-8200G devices.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A vulnerability was found in D-Link DI-8200G 17.12.20A1. This affects an unknown function of the file /upgrade_filter.asp. The manipulation of the argument path results in command injection. The attack may be performed from remote. The exploit has been made public…

more

and could be used.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.008 Network Device CLI Execution
Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.
Why these techniques?

Command injection in web interface (/upgrade_filter.asp) of public-facing router enables exploitation of public-facing application (T1190) for arbitrary command execution on network device CLI (T1059.008).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-15357Same vendor: Dlink
CVE-2026-1125Same vendor: Dlink
CVE-2026-2163Same vendor: Dlink
CVE-2025-13306Same vendor: Dlink
CVE-2025-7192Same vendor: Dlink
CVE-2025-10401Same vendor: Dlink
CVE-2025-15191Same vendor: Dlink
CVE-2026-8346Same vendor: Dlink
CVE-2025-60854Same vendor: Dlink
CVE-2025-55848Same vendor: Dlink

Affected Assets

dlink
di-8200g firmware
17.12.20a1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates CVE-2026-0732 by identifying, prioritizing, and applying firmware patches or vendor-specific remediations for the command injection flaw in /upgrade_filter.asp.

prevent

Prevents command injection exploitation by enforcing validation of the 'path' argument to block improper neutralization of special elements in the vulnerable /upgrade_filter.asp function.

prevent

Reduces impact of successful command injection by enforcing least privilege on the low-privilege (PR:L) account or process handling the /upgrade_filter.asp endpoint.

References