CVE-2026-2082
Published: 07 February 2026
Summary
CVE-2026-2082 is a medium-severity Command Injection (CWE-77) vulnerability in Dlink Dir-823X Firmware. Its CVSS base score is 5.1 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 44.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-2082 is an OS command injection vulnerability (CWE-77, CWE-78) affecting the D-Link DIR-823X router on firmware version 250416. The flaw resides in an unknown function within the /goform/set_mac_clone file, where manipulation of the "mac" argument enables arbitrary OS command execution. Published on 2026-02-07, it carries a CVSS v3.1 base score of 4.7 (AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L).
The vulnerability is remotely exploitable with low attack complexity but requires high privileges, such as authenticated administrative access to the device. An attacker with these privileges can inject and execute OS commands, resulting in low impacts to confidentiality, integrity, and availability, such as limited data exposure, modification, or denial of service on the targeted router.
Advisories and details are available via references including GitHub issues at https://github.com/master-abc/cve/issues/21 and https://github.com/master-abc/cve/issues/21#issue-3847172823, as well as VulDB entries at https://vuldb.com/?ctiid.344649, https://vuldb.com/?id.344649, and https://vuldb.com/?submit.745854. No specific patch or mitigation steps are detailed in the CVE description.
The exploit is publicly available and might be used in targeted attacks against vulnerable D-Link DIR-823X devices.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-5731
Vulnerability details
A vulnerability was identified in D-Link DIR-823X 250416. The impacted element is an unknown function of the file /goform/set_mac_clone. Such manipulation of the argument mac leads to os command injection. The attack may be performed from remote. The exploit is…
more
publicly available and might be used.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection in the authenticated web interface of a public-facing router directly enables remote exploitation (T1190) and arbitrary command execution via the network device CLI (T1059.008).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly blocks OS command injection by validating/sanitizing the untrusted 'mac' argument before it reaches the shell in /goform/set_mac_clone.
Requires timely application of vendor patches or firmware updates that eliminate the command-injection flaw in the set_mac_clone handler.
Limits the number of accounts holding the high-privilege (admin) rights required to reach the vulnerable endpoint, reducing the attack surface.