CVE-2026-1125 is a remote command injection vulnerability identified in the D-Link DIR-823X router firmware version 250416. The vulnerability resides in the function sub_412E7C within the /goform/set_wifidog_settings endpoint. An attacker can manipulate the wd_enable argument to inject arbitrary commands that the device executes with system privileges. This flaw allows an unauthenticated attacker to remotely execute commands on the affected device without any user interaction, making it highly accessible for exploitation. The vulnerability stems from insufficient input validation or sanitization of the wd_enable parameter, enabling command injection. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and partial impact on confidentiality, integrity, and availability (VC:L, VI:L, VA:L). Although no known exploits are currently active in the wild, a public exploit has been released, increasing the likelihood of exploitation. The vulnerability could allow attackers to take control of the router, manipulate network traffic, intercept sensitive data, or disrupt network availability. Given the widespread use of D-Link routers in home and small business environments, this vulnerability poses a significant risk to network security. The lack of available patches at the time of reporting necessitates immediate mitigation through network-level controls and monitoring until official updates are released.

For European organizations, this vulnerability could lead to unauthorized remote control of affected routers, enabling attackers to intercept or manipulate network traffic, conduct man-in-the-middle attacks, or pivot into internal networks. The compromise of network infrastructure devices like routers can severely impact confidentiality, integrity, and availability of organizational data and services. Small and medium enterprises relying on D-Link DIR-823X devices for internet connectivity or internal segmentation are particularly at risk. The attack requires no authentication or user interaction, increasing the attack surface and potential for widespread exploitation. Disruption of network availability could affect business operations, while data interception could lead to leakage of sensitive information. Additionally, compromised routers could be enlisted into botnets or used as launch points for further attacks against European targets. The medium CVSS score reflects moderate but significant risk, especially given the public exploit availability. Organizations in sectors such as finance, healthcare, and critical infrastructure that depend on secure network communications could face elevated threats.

1. Immediately restrict remote access to the router’s management interfaces, especially the /goform/set_wifidog_settings endpoint, by implementing firewall rules or network segmentation. 2. Disable any unnecessary remote management features on the DIR-823X devices to reduce exposure. 3. Monitor network traffic for unusual command execution patterns or unexpected outbound connections originating from routers. 4. Apply vendor firmware updates or patches as soon as they become available; regularly check D-Link’s official channels for security advisories. 5. If patches are not yet available, consider temporarily replacing affected devices with models not vulnerable to this issue or deploying compensating controls such as VPNs and strict access controls. 6. Conduct regular security audits of network devices to detect unauthorized configuration changes or signs of compromise. 7. Educate IT staff about this vulnerability and ensure incident response plans include procedures for router compromise scenarios. 8. Use network intrusion detection/prevention systems (IDS/IPS) tuned to detect exploitation attempts targeting this vulnerability.