CVE-2026-5844
Published: 09 April 2026
Summary
CVE-2026-5844 is a high-severity Command Injection (CWE-77) vulnerability in Dlink Dir-882 Firmware. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 45.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SA-22 (Unsupported System Components) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates validation of untrusted inputs like the IPAddress argument to prevent OS command injection via unsafe sprintf usage.
Requires identification and timely remediation of software flaws like this command injection vulnerability, including replacement since no patches are available.
Prohibits the use of unsupported system components such as this end-of-life D-Link DIR-882 router, eliminating exposure to unpatched vulnerabilities.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection in public-facing router web interface (HNAP1) directly enables T1190 for initial access via exploitation and facilitates T1059.008 for arbitrary command execution on the network device.
NVD Description
A vulnerability was found in D-Link DIR-882 1.01B02. Impacted is the function sprintf of the file prog.cgi of the component HNAP1 SetNetworkSettings Handler. The manipulation of the argument IPAddress results in os command injection. The attack may be performed from…
more
remote. The exploit has been made public and could be used. This vulnerability only affects products that are no longer supported by the maintainer.
Deeper analysisAI
CVE-2026-5844 is an OS command injection vulnerability affecting the D-Link DIR-882 router on firmware version 1.01B02. The flaw exists in the sprintf function within the prog.cgi file, part of the HNAP1 SetNetworkSettings Handler component. Manipulation of the IPAddress argument enables command injection, as documented in the CVE description published on 2026-04-09.
The vulnerability is remotely exploitable over the network with low complexity and no user interaction. Per the CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), attackers require high privileges to exploit it. Successful exploitation grants high-impact access to confidentiality, integrity, and availability, allowing arbitrary OS command execution on the device.
This vulnerability impacts products no longer supported by the maintainer, with no patches available from D-Link. An exploit has been publicly released, accessible via a provided archive link, alongside VulDB advisory details. Mitigation relies on network isolation, firmware downgrade if feasible, or device replacement, as noted in the references including VulDB entries and the D-Link site.
Details
- CWE(s)