CVE-2026-3485
Published: 03 March 2026
Summary
CVE-2026-3485 is a critical-severity Command Injection (CWE-77) vulnerability in Dlink Dir-868L Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 34.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SA-22 (Unsupported System Components) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Prohibits use of unsupported system components like the end-of-life D-Link DIR-868L firmware with no patches available for this command injection vulnerability.
Requires validation of untrusted inputs such as the SSDP ST argument to directly prevent OS command injection exploits.
Mandates timely flaw remediation, which for this unpatchable EOL vulnerability necessitates device replacement or isolation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a remote OS command injection in the public-facing SSDP service (T1190, T1210), enabling arbitrary Unix shell command execution (T1059.004) without authentication.
NVD Description
A flaw has been found in D-Link DIR-868L 110b03. This affects the function sub_1BF84 of the component SSDP Service. This manipulation of the argument ST causes os command injection. It is possible to initiate the attack remotely. The exploit has…
more
been published and may be used. This vulnerability only affects products that are no longer supported by the maintainer.
Deeper analysisAI
CVE-2026-3485 is an OS command injection vulnerability (CWE-77, CWE-78) in the SSDP Service component of D-Link DIR-868L firmware version 110b03. The flaw affects the function sub_1BF84, where manipulation of the ST argument triggers command injection. It carries a CVSS 3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and was published on 2026-03-03.
Attackers can exploit this vulnerability remotely without authentication, privileges, or user interaction. Successful exploitation allows arbitrary OS command execution, potentially leading to full compromise of the device with high impacts on confidentiality, integrity, and availability.
Advisories note that this vulnerability only affects products no longer supported by the maintainer, with no patches available. Detailed exploit information is published on sites like the kn0sinna Notion page and VulDB entries, and practitioners should consult the D-Link website for any general guidance on end-of-life devices.
An exploit has been published and may be used in the wild against vulnerable, unsupported D-Link DIR-868L routers.
Details
- CWE(s)