CVE-2026-2155 is an OS command injection vulnerability identified in the D-Link DIR-823X router, specifically version 250416. The vulnerability resides in the Configuration Handler component's function sub_4208A0, which processes requests to the /goform/set_dmz endpoint. By manipulating the parameters dmz_host or dmz_enable, an attacker can inject arbitrary operating system commands. This flaw allows remote attackers to execute commands on the underlying operating system with elevated privileges, as the vulnerability requires high privileges (PR:H) but no authentication (AT:N) or user interaction (UI:N). The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), and high impact on confidentiality, integrity, and availability (all marked as high). The vulnerability does not require scope change or privileges beyond high-level access, suggesting that an attacker who already has some privileged access to the device or network can exploit this remotely. Although no exploits are currently observed in the wild, a public exploit has been released, increasing the risk of exploitation. The vulnerability could allow attackers to fully compromise the router, leading to interception or manipulation of network traffic, disruption of services, or use of the device as a foothold for further attacks within the network. The lack of official patches at the time of reporting increases the urgency for mitigation through alternative controls.

For European organizations, this vulnerability poses significant risks. The D-Link DIR-823X is a consumer and small business router model that may be deployed in home offices, small enterprises, and branch offices. Successful exploitation could lead to full device compromise, allowing attackers to intercept sensitive communications, manipulate network configurations, or launch further attacks on internal systems. This threatens confidentiality, integrity, and availability of organizational networks. Critical sectors such as finance, healthcare, and government agencies relying on these devices for network connectivity are particularly vulnerable. The ability to execute OS commands remotely without user interaction increases the risk of automated or targeted attacks. Additionally, the public availability of an exploit raises the likelihood of opportunistic attacks. Disruption or compromise of these routers could also impact supply chains and remote work infrastructures, which remain critical in Europe. The overall impact includes potential data breaches, service outages, and reputational damage.

1. Immediately restrict remote access to the router's management interfaces, especially the /goform/set_dmz endpoint, by implementing network-level access controls such as firewall rules or VPN-only access. 2. Disable the DMZ feature if not required, as it is the vulnerable component's context. 3. Monitor network traffic for unusual or unauthorized requests targeting the /goform/set_dmz path or suspicious command injection patterns. 4. Apply any official firmware updates or patches from D-Link as soon as they become available. 5. For devices that cannot be patched promptly, consider network segmentation to isolate vulnerable routers from critical assets. 6. Employ intrusion detection/prevention systems (IDS/IPS) with signatures or heuristics capable of detecting command injection attempts. 7. Educate IT staff and users about the risks and signs of router compromise. 8. Regularly audit router configurations and logs for anomalies. 9. Consider replacing affected devices with models that have a stronger security track record if patching is delayed or unavailable.