CVE-2026-2163 identifies a command injection vulnerability in the D-Link DIR-600 router firmware up to version 2.15WWb02, specifically within the ssdp.cgi file. The vulnerability arises when an attacker manipulates certain HTTP arguments—HTTP_ST, REMOTE_ADDR, REMOTE_PORT, or SERVER_ID—leading to the injection and execution of arbitrary system commands on the device. This attack vector does not require user interaction or authentication, making it remotely exploitable over the network. The vulnerability affects devices that are no longer supported by D-Link, meaning no official patches or firmware updates are available to remediate the issue. The CVSS 4.0 base score is 5.1 (medium severity), reflecting the network attack vector, low complexity, no privileges required, and no user interaction, but limited impact on confidentiality, integrity, and availability. Although no known exploits are currently observed in the wild, public exploit code exists, increasing the risk of future attacks. The affected device is commonly used in home and small office environments, where it may serve as a gateway to internal networks. Successful exploitation could allow attackers to execute arbitrary commands, potentially leading to device compromise, network reconnaissance, or pivoting attacks. The lack of vendor support complicates mitigation, necessitating alternative security controls or device replacement.

For European organizations, particularly small and medium enterprises (SMEs) and home office users relying on the D-Link DIR-600 router, this vulnerability poses a tangible risk of unauthorized remote command execution. Exploitation could lead to full device compromise, enabling attackers to intercept or manipulate network traffic, deploy malware, or establish persistent footholds within internal networks. This threatens confidentiality by exposing sensitive data, integrity by allowing manipulation of network configurations or data flows, and availability if the device is rendered inoperable or used in denial-of-service attacks. Given the device's typical deployment at network perimeters, compromised routers could serve as launch points for broader attacks against organizational infrastructure. The absence of vendor patches increases the risk exposure duration, especially in environments where device replacement is delayed. Additionally, the public availability of exploit code lowers the barrier for attackers, including opportunistic cybercriminals and potentially state-sponsored actors targeting European networks. The impact is heightened in countries with widespread use of this router model and where network security hygiene may be less rigorous.

Since the affected D-Link DIR-600 devices are no longer supported and no official patches exist, organizations should prioritize device replacement with modern, supported hardware that receives regular security updates. In the interim, network administrators should implement strict network segmentation to isolate vulnerable routers from critical infrastructure and sensitive data. Deploying firewall rules to restrict inbound access to router management interfaces and SSDP services from untrusted networks can reduce exposure. Monitoring network traffic for unusual patterns or command injection attempts targeting ssdp.cgi parameters is advisable. Employing intrusion detection/prevention systems (IDS/IPS) with signatures tuned for this vulnerability can help detect exploitation attempts. Additionally, disabling SSDP or UPnP services on the router, if feasible, can mitigate the attack surface. Organizations should also conduct asset inventories to identify affected devices and prioritize their remediation or replacement. User education on the risks of outdated network equipment and enforcing policies against using unsupported devices in corporate environments will further reduce risk.