CVE-2026-4499

HighPublic PoC

Published: 20 March 2026

Published

20 March 2026

Modified

03 April 2026

KEV Added

—

Patch

—

CVSS Score 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0041 61.4th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-4499 is a high-severity Command Injection (CWE-77) vulnerability in Dlink Dir-820Lw Firmware. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 38.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly prevents OS command injection by validating and sanitizing inputs to the ssdpcgi_main function, blocking manipulation via the HTTP_ST environment variable.

SI-2 Flaw Remediation good match

prevent

Remediates the specific command injection flaw in the SSDP component through timely identification, reporting, and patching of the D-Link DIR-820LW firmware.

SC-7 Boundary Protection partial match

prevent

Boundary protection limits remote network access to the vulnerable SSDP CGI service, reducing opportunities for unauthenticated exploitation.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.008 Network Device CLI Execution

Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.

attack.mitre.org →

Why these techniques?

Remote unauthenticated OS command injection in SSDP CGI enables exploitation of public-facing application (T1190) and command execution on network device (T1059.008).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

A vulnerability was determined in D-Link DIR-820LW 2.03. Affected is the function ssdpcgi_main of the component SSDP. Executing a manipulation can lead to os command injection. The attack may be launched remotely. The exploit has been publicly disclosed and may…

be utilized.

Deeper analysisAI

CVE-2026-4499 is an OS command injection vulnerability affecting the ssdpcgi_main function within the SSDP component of D-Link DIR-820LW firmware version 2.03. Published on 2026-03-20, it stems from CWE-77 and CWE-78 weaknesses, where manipulation of inputs leads to arbitrary command execution.

The vulnerability is exploitable remotely over the network (AV:N) with low attack complexity (AC:L), requiring no privileges (PR:N) or user interaction (UI:N), and maintaining unchanged scope (S:U). Attackers can achieve low impacts on confidentiality, integrity, and availability (C:L/I:L/A:L), as reflected in its CVSS v3.1 base score of 7.3. The exploit has been publicly disclosed and is available for use.

Advisories and details are documented across multiple sources, including GitHub repositories hosting the exploit ZIP file and issue trackers, as well as VulDB entries (ctiid.352055, id.352055, submit.773883), which confirm the remote OS command injection via the HTTP_ST environment variable in the ssdpcgi_main function. No specific patch details are outlined in the provided information.

Details

CWE(s): CWE-77 CWE-78

Affected Products

dlink

dir-820lw firmware

2.03

CVEs Like This One

CVE-2026-5844Same vendor: Dlink

CVE-2026-2082Same vendor: Dlink

CVE-2026-1448Same vendor: Dlink

CVE-2026-1506Same vendor: Dlink

CVE-2025-13306Same vendor: Dlink

CVE-2026-2061Same vendor: Dlink

CVE-2025-9727Same vendor: Dlink

CVE-2025-2717Same vendor: Dlink

CVE-2025-60854Same vendor: Dlink

CVE-2025-9752Same vendor: Dlink

References

https://github.com/user-attachments/files/25790888/OS.Command.Injection.in.D-Link.DIR-820LW.B2.03.via.the.HTTP_ST.environment.variable.in.ssdpcgi_main.function.zip
Exploit · cna@vuldb.com
https://github.com/yunleeeee/cve/issues/1
Exploit · cna@vuldb.com
https://vuldb.com/?ctiid.352055
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.352055
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.773883
Third Party Advisory, VDB Entry · cna@vuldb.com
https://www.dlink.com/
Product · cna@vuldb.com