CVE-2026-2152 is an OS command injection vulnerability identified in the D-Link DIR-615 router firmware version 4.10. The vulnerability resides in the adv_routing.php component of the web configuration interface, where improper sanitization of user-supplied parameters—dest_ip, submask, and gw—allows an attacker to inject arbitrary operating system commands. This flaw can be exploited remotely over the network without requiring authentication or user interaction, significantly increasing the attack surface. The vulnerability enables an attacker to execute commands with high privileges, potentially leading to full compromise of the device, interception or manipulation of network traffic, and pivoting into internal networks. Despite the severity, the affected product is no longer supported by the vendor, and no official patches have been released. Public exploit code has been made available, facilitating exploitation by malicious actors. The CVSS v4.0 score of 8.6 reflects the high impact on confidentiality, integrity, and availability, combined with the ease of exploitation and lack of required authentication. This vulnerability is particularly concerning for environments where these routers remain in use, as attackers can leverage it to disrupt network operations or conduct further attacks within the network.

For European organizations, the impact of CVE-2026-2152 can be significant, especially for those still operating legacy D-Link DIR-615 routers. Successful exploitation can lead to complete device compromise, allowing attackers to intercept sensitive data, disrupt network connectivity, or use the device as a foothold for lateral movement within corporate networks. This can affect confidentiality through data interception, integrity by modifying routing or configuration settings, and availability by causing device or network outages. Critical infrastructure sectors, small and medium enterprises, and organizations with limited IT resources that have not upgraded their network hardware are particularly vulnerable. The lack of vendor support and patches increases the risk of prolonged exposure. Additionally, the public availability of exploits raises the likelihood of opportunistic attacks targeting these devices across Europe.

Given the absence of official patches due to end-of-life status of the DIR-615 model, European organizations should prioritize immediate replacement of affected devices with supported hardware running updated firmware. Until replacement is feasible, network administrators should isolate these routers from untrusted networks, restrict access to the web configuration interface via firewall rules or VPNs, and disable remote management features if enabled. Monitoring network traffic for anomalous activity related to the adv_routing.php interface parameters can help detect exploitation attempts. Employing network segmentation to limit the impact of compromised devices and enforcing strict access controls on management interfaces are critical. Organizations should also conduct asset inventories to identify any remaining DIR-615 devices and plan for their phased decommissioning. Finally, raising user awareness about the risks of legacy hardware and maintaining up-to-date inventories will reduce exposure to similar vulnerabilities.