Cyber Resilience

CVE-2026-2151

HighPublic PoCRCE

Published: 08 February 2026

Published
08 February 2026
Modified
11 February 2026
KEV Added
Patch
CVSS Score v4 7.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0078 74.2th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-2151 is a high-severity Command Injection (CWE-77) vulnerability in Dlink Dir-615 Firmware. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 25.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SA-22 (Unsupported System Components) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-2151 is an OS command injection vulnerability in D-Link DIR-615 firmware version 4.10. It affects an unknown part of the file adv_firewall.php within the DMZ Host Feature component, where manipulation of the dmz_ipaddr argument enables the injection. The issue is classified under CWE-77 (Command Injection) and CWE-78 (OS Command Injection), with a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H). This vulnerability impacts only products that are no longer supported by the maintainer.

The vulnerability can be exploited remotely by an attacker with high privileges (PR:H). Exploitation involves sending a crafted request to trigger OS command injection via the dmz_ipaddr parameter, potentially allowing arbitrary command execution on the device. Successful attacks could result in high impacts to confidentiality, integrity, and availability, such as data theft, system modification, or denial of service.

Advisories note that no patches are available, as affected D-Link DIR-615 devices are end-of-support. References including VulDB entries and a detailed disclosure on a Notion site confirm the exploit has been publicly released and may be actively used. The official D-Link website provides no specific mitigation guidance for this unsupported firmware version.

The exploit disclosure to the public increases the risk for remaining deployments of this legacy router firmware.

EU & UK References

Vulnerability details

A vulnerability has been found in D-Link DIR-615 4.10. This affects an unknown part of the file adv_firewall.php of the component DMZ Host Feature. Such manipulation of the argument dmz_ipaddr leads to os command injection. The attack can be launched…

more

remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

OS command injection in public web interface (adv_firewall.php) directly enables remote exploitation of a public-facing application (T1190) and arbitrary Unix shell command execution (T1059.004) on the device.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-2152Same product: Dlink Dir-615
CVE-2026-1505Same product: Dlink Dir-615
CVE-2026-1448Same product: Dlink Dir-615
CVE-2026-1506Same product: Dlink Dir-615
CVE-2026-2260Same vendor: Dlink
CVE-2026-4465Same vendor: Dlink
CVE-2026-2210Same vendor: Dlink
CVE-2026-8273Same vendor: Dlink
CVE-2026-8272Same vendor: Dlink
CVE-2026-2157Same vendor: Dlink

Affected Assets

dlink
dir-615 firmware
4.10

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of the dmz_ipaddr input parameter to block OS command injection in adv_firewall.php.

prevent

Mandates replacement or isolation of the end-of-support DIR-615 firmware that can never receive a fix for CVE-2026-2151.

prevent

Restricts the high-privilege accounts that can reach the DMZ Host configuration page, reducing the population able to trigger the injection.

References