CVE-2026-0732
Published: 09 January 2026
Summary
CVE-2026-0732 is a medium-severity Injection (CWE-74) vulnerability in Dlink Di-8200G Firmware. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 37.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates CVE-2026-0732 by identifying, prioritizing, and applying firmware patches or vendor-specific remediations for the command injection flaw in /upgrade_filter.asp.
Prevents command injection exploitation by enforcing validation of the 'path' argument to block improper neutralization of special elements in the vulnerable /upgrade_filter.asp function.
Reduces impact of successful command injection by enforcing least privilege on the low-privilege (PR:L) account or process handling the /upgrade_filter.asp endpoint.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection in web interface (/upgrade_filter.asp) of public-facing router enables exploitation of public-facing application (T1190) for arbitrary command execution on network device CLI (T1059.008).
NVD Description
A vulnerability was found in D-Link DI-8200G 17.12.20A1. This affects an unknown function of the file /upgrade_filter.asp. The manipulation of the argument path results in command injection. The attack may be performed from remote. The exploit has been made public…
more
and could be used.
Deeper analysisAI
CVE-2026-0732 is a command injection vulnerability affecting the D-Link DI-8200G router running firmware version 17.12.20A1. The issue resides in an unknown function within the /upgrade_filter.asp file, where manipulation of the 'path' argument enables arbitrary command execution. Associated with CWE-74 (Improper Neutralization of Special Elements used in an SQL Command) and CWE-77 (Command Injection), it has a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), indicating medium severity.
The vulnerability can be exploited remotely by an attacker with low privileges (PR:L), requiring no user interaction and low attack complexity over the network. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, potentially enabling command execution on the device.
References include GitHub repositories detailing a proof-of-concept (PoC) for the command execution vulnerability and VulDB entries (ctiid.340129, id.340129, submit.733275) documenting the issue, though no specific patches or mitigation steps from vendor advisories are detailed in available sources.
The exploit has been made public and could be used, increasing the risk for unpatched D-Link DI-8200G devices.
Details
- CWE(s)