Cyber Resilience

CVE-2026-1505

HighPublic PoCRCE

Published: 28 January 2026

Published
28 January 2026
Modified
30 January 2026
KEV Added
Patch
CVSS Score v4 7.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0078 74.2th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-1505 is a high-severity Command Injection (CWE-77) vulnerability in Dlink Dir-615 Firmware. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 25.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SC-7 (Boundary Protection).

Deeper analysis

CVE-2026-1505 is an OS command injection vulnerability (CWE-77, CWE-78) in the URL Filter component of D-Link DIR-615 firmware version 4.10, specifically affecting the processing of the /set_temp_nodes.php file. The flaw allows manipulation that injects arbitrary operating system commands, with a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H). It impacts only products that are no longer supported by the maintainer.

The vulnerability is exploitable remotely over the network with low attack complexity and no user interaction required, but it demands high privileges (PR:H), such as administrative access to the device. Successful exploitation enables attackers to achieve high-impact confidentiality, integrity, and availability violations, potentially allowing full compromise of the router through arbitrary command execution.

Advisories from sources like VulDB indicate no patches are available, as the affected D-Link DIR-615 devices are end-of-life and unsupported. Mitigation relies on network segmentation, access controls to restrict privileged access, or device replacement. The exploit has been publicly disclosed and could be weaponized.

Notable context includes the public availability of the exploit, increasing risk for exposed legacy deployments, though no confirmed real-world exploitation has been reported in the provided details.

EU & UK References

Vulnerability details

A vulnerability was found in D-Link DIR-615 4.10. This issue affects some unknown processing of the file /set_temp_nodes.php of the component URL Filter. The manipulation results in os command injection. The attack can be executed remotely. The exploit has been…

more

made public and could be used. This vulnerability only affects products that are no longer supported by the maintainer.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

OS command injection in public-facing router web component (set_temp_nodes.php) enables remote exploitation of the application and arbitrary Unix shell command execution for privilege escalation to full device compromise.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-2151Same product: Dlink Dir-615
CVE-2026-2152Same product: Dlink Dir-615
CVE-2026-1448Same product: Dlink Dir-615
CVE-2026-1506Same product: Dlink Dir-615
CVE-2026-2260Same vendor: Dlink
CVE-2026-4465Same vendor: Dlink
CVE-2026-2210Same vendor: Dlink
CVE-2026-8273Same vendor: Dlink
CVE-2026-8272Same vendor: Dlink
CVE-2026-2157Same vendor: Dlink

Affected Assets

dlink
dir-615 firmware
4.10

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces least privilege on administrative accounts so that even authenticated users cannot reach or abuse the /set_temp_nodes.php URL-filter function with OS-level command execution rights.

prevent

Boundary-protection rules (firewalls, segmentation, ACLs) block remote attackers from reaching the web-management interface of the unsupported DIR-615 before the injection can be attempted.

preventrecover

Directly requires organizations to replace, isolate, or otherwise mitigate continued use of end-of-life devices for which no patches exist for the command-injection flaw.

References