Cyber Resilience

CVE-2026-2152

HighPublic PoCRCE

Published: 08 February 2026

Published
08 February 2026
Modified
11 February 2026
KEV Added
Patch
CVSS Score v4 7.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0349 87.9th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-2152 is a high-severity Command Injection (CWE-77) vulnerability in Dlink Dir-615 Firmware. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 12.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SA-22 (Unsupported System Components) and SI-10 (Information Input Validation).

Deeper analysis

A vulnerability identified as CVE-2026-2152 affects the D-Link DIR-615 running firmware version 4.10. It resides in unknown code within the adv_routing.php file of the Web Configuration Interface. Manipulation of the dest_ip, submask, and gw arguments permits OS command injection, corresponding to CWE-77 and CWE-78. The issue is exploitable remotely and carries a CVSS 4.0 score of 7.3.

An attacker with administrative credentials can supply crafted values to the affected parameters over the network, resulting in execution of arbitrary operating system commands. Successful exploitation grants high impact on confidentiality, integrity, and availability within the device. The exploit code has been publicly disclosed.

The affected product is no longer supported by D-Link, as noted in the vulnerability record and referenced vendor site. The current and peak EPSS score remains 0.0349 with no material increase observed.

EU & UK References

Vulnerability details

A vulnerability was found in D-Link DIR-615 4.10. This vulnerability affects unknown code of the file adv_routing.php of the component Web Configuration Interface. Performing a manipulation of the argument dest_ip/ submask/ gw results in os command injection. The attack may…

more

be initiated remotely. The exploit has been made public and could be used. This vulnerability only affects products that are no longer supported by the maintainer.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

OS command injection in the router web UI directly enables T1190 (exploit of public-facing app) and T1059.004 (Unix shell command execution on the embedded device).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-2151Same product: Dlink Dir-615
CVE-2026-1505Same product: Dlink Dir-615
CVE-2026-1448Same product: Dlink Dir-615
CVE-2026-1506Same product: Dlink Dir-615
CVE-2026-2260Same vendor: Dlink
CVE-2026-4465Same vendor: Dlink
CVE-2026-2210Same vendor: Dlink
CVE-2026-8273Same vendor: Dlink
CVE-2026-8272Same vendor: Dlink
CVE-2026-2157Same vendor: Dlink

Affected Assets

dlink
dir-615 firmware
4.10

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation of untrusted inputs such as dest_ip, submask, and gw parameters in the web configuration interface to directly prevent OS command injection.

prevent

Prohibits use of unsupported system components like the end-of-life D-Link DIR-615 router, eliminating exposure to unpatched vulnerabilities like this command injection.

prevent

Mandates identification and remediation of flaws such as this OS command injection vulnerability, through patching, isolation, or decommissioning given no vendor support.

References