CVE-2026-1505 is an OS command injection vulnerability identified in the D-Link DIR-615 router firmware version 4.10. The vulnerability is located in the URL Filter component, specifically in the processing of the /set_temp_nodes.php endpoint. An attacker can remotely send specially crafted requests to this endpoint to inject arbitrary operating system commands, which the device executes with elevated privileges. The vulnerability does not require authentication or user interaction, making it highly exploitable over the network. The CVSS 4.0 score of 8.6 reflects the high impact on confidentiality, integrity, and availability, with low attack complexity and no privileges required. Although the device is no longer supported and no official patches are available, the public disclosure of exploit code increases the risk of exploitation by threat actors. Successful exploitation could allow attackers to take full control of the router, manipulate network traffic, intercept sensitive data, or launch further attacks within the network. The vulnerability affects only version 4.10 of the firmware and is specific to the DIR-615 model, which is widely deployed in home and small office environments but may still be present in some enterprise edge networks or IoT setups.

For European organizations, this vulnerability poses a significant risk if legacy D-Link DIR-615 routers running firmware 4.10 remain in use, especially in network perimeters or critical segments. Exploitation can lead to full device compromise, enabling attackers to intercept or redirect traffic, deploy malware, or pivot to internal networks. This threatens confidentiality through data interception, integrity by altering network configurations or traffic, and availability by causing device crashes or denial of service. The lack of vendor support means no official patches are available, increasing exposure. Organizations relying on these devices for VPN termination, firewalling, or routing could face operational disruptions and data breaches. The risk is heightened in environments with poor network segmentation or exposed management interfaces. Additionally, the public availability of exploit code lowers the barrier for attackers, including cybercriminals and state-sponsored actors targeting European infrastructure.

Given the absence of vendor patches, European organizations should prioritize immediate replacement of affected D-Link DIR-615 devices with supported hardware running updated firmware. Until replacement is feasible, network-level mitigations should be implemented: restrict access to the router's management interfaces by applying strict firewall rules limiting inbound traffic to trusted IPs; disable or restrict URL Filter features if possible; monitor network traffic for unusual requests targeting /set_temp_nodes.php; deploy intrusion detection/prevention systems (IDS/IPS) with signatures for this exploit; segment legacy devices on isolated VLANs to limit lateral movement; enforce strong network segmentation and access controls; conduct regular network scans to identify vulnerable devices; and educate staff about risks of legacy hardware. Organizations should also review their asset inventories to identify any remaining DIR-615 devices and plan for their decommissioning. Finally, consider deploying network anomaly detection tools to detect exploitation attempts in real time.