Cyber Resilience

CVE-2026-2082

MediumPublic PoC

Published: 07 February 2026

Published
07 February 2026
Modified
10 February 2026
KEV Added
Patch
CVSS Score v4 5.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0032 55.4th percentile
Risk Priority 10 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-2082 is a medium-severity Command Injection (CWE-77) vulnerability in Dlink Dir-823X Firmware. Its CVSS base score is 5.1 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 44.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-2082 is an OS command injection vulnerability (CWE-77, CWE-78) affecting the D-Link DIR-823X router on firmware version 250416. The flaw resides in an unknown function within the /goform/set_mac_clone file, where manipulation of the "mac" argument enables arbitrary OS command execution. Published on 2026-02-07, it carries a CVSS v3.1 base score of 4.7 (AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L).

The vulnerability is remotely exploitable with low attack complexity but requires high privileges, such as authenticated administrative access to the device. An attacker with these privileges can inject and execute OS commands, resulting in low impacts to confidentiality, integrity, and availability, such as limited data exposure, modification, or denial of service on the targeted router.

Advisories and details are available via references including GitHub issues at https://github.com/master-abc/cve/issues/21 and https://github.com/master-abc/cve/issues/21#issue-3847172823, as well as VulDB entries at https://vuldb.com/?ctiid.344649, https://vuldb.com/?id.344649, and https://vuldb.com/?submit.745854. No specific patch or mitigation steps are detailed in the CVE description.

The exploit is publicly available and might be used in targeted attacks against vulnerable D-Link DIR-823X devices.

EU & UK References

Vulnerability details

A vulnerability was identified in D-Link DIR-823X 250416. The impacted element is an unknown function of the file /goform/set_mac_clone. Such manipulation of the argument mac leads to os command injection. The attack may be performed from remote. The exploit is…

more

publicly available and might be used.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.008 Network Device CLI Execution
Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.
Why these techniques?

OS command injection in the authenticated web interface of a public-facing router directly enables remote exploitation (T1190) and arbitrary command execution via the network device CLI (T1059.008).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-55848Same product: Dlink Dir-823X
CVE-2025-2717Same product: Dlink Dir-823X
CVE-2026-1125Same product: Dlink Dir-823X
CVE-2026-2210Same product: Dlink Dir-823X
CVE-2026-1544Same product: Dlink Dir-823X
CVE-2026-2157Same product: Dlink Dir-823X
CVE-2026-2129Same product: Dlink Dir-823X
CVE-2026-2143Same product: Dlink Dir-823X
CVE-2026-2084Same product: Dlink Dir-823X
CVE-2026-2063Same product: Dlink Dir-823X

Affected Assets

dlink
dir-823x firmware
250416

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly blocks OS command injection by validating/sanitizing the untrusted 'mac' argument before it reaches the shell in /goform/set_mac_clone.

prevent

Requires timely application of vendor patches or firmware updates that eliminate the command-injection flaw in the set_mac_clone handler.

prevent

Limits the number of accounts holding the high-privilege (admin) rights required to reach the vulnerable endpoint, reducing the attack surface.

References