CVE-2026-2151
Published: 08 February 2026
Summary
CVE-2026-2151 is a high-severity Command Injection (CWE-77) vulnerability in Dlink Dir-615 Firmware. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 25.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SA-22 (Unsupported System Components) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-2151 is an OS command injection vulnerability in D-Link DIR-615 firmware version 4.10. It affects an unknown part of the file adv_firewall.php within the DMZ Host Feature component, where manipulation of the dmz_ipaddr argument enables the injection. The issue is classified under CWE-77 (Command Injection) and CWE-78 (OS Command Injection), with a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H). This vulnerability impacts only products that are no longer supported by the maintainer.
The vulnerability can be exploited remotely by an attacker with high privileges (PR:H). Exploitation involves sending a crafted request to trigger OS command injection via the dmz_ipaddr parameter, potentially allowing arbitrary command execution on the device. Successful attacks could result in high impacts to confidentiality, integrity, and availability, such as data theft, system modification, or denial of service.
Advisories note that no patches are available, as affected D-Link DIR-615 devices are end-of-support. References including VulDB entries and a detailed disclosure on a Notion site confirm the exploit has been publicly released and may be actively used. The official D-Link website provides no specific mitigation guidance for this unsupported firmware version.
The exploit disclosure to the public increases the risk for remaining deployments of this legacy router firmware.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-5798
Vulnerability details
A vulnerability has been found in D-Link DIR-615 4.10. This affects an unknown part of the file adv_firewall.php of the component DMZ Host Feature. Such manipulation of the argument dmz_ipaddr leads to os command injection. The attack can be launched…
more
remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection in public web interface (adv_firewall.php) directly enables remote exploitation of a public-facing application (T1190) and arbitrary Unix shell command execution (T1059.004) on the device.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of the dmz_ipaddr input parameter to block OS command injection in adv_firewall.php.
Mandates replacement or isolation of the end-of-support DIR-615 firmware that can never receive a fix for CVE-2026-2151.
Restricts the high-privilege accounts that can reach the DMZ Host configuration page, reducing the population able to trigger the injection.