CVE-2026-0732

MediumPublic PoC

Published: 09 January 2026

Published

09 January 2026

Modified

14 January 2026

KEV Added

—

Patch

—

CVSS Score 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0038 59.5th percentile

Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Description

A vulnerability was found in D-Link DI-8200G 17.12.20A1. This affects an unknown function of the file /upgrade_filter.asp. The manipulation of the argument path results in command injection. The attack may be performed from remote. The exploit has been made public…

and could be used.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates CVE-2026-0732 by identifying, prioritizing, and applying firmware patches or vendor-specific remediations for the command injection flaw in /upgrade_filter.asp.

SI-10 Information Input Validation good match

prevent

Prevents command injection exploitation by enforcing validation of the 'path' argument to block improper neutralization of special elements in the vulnerable /upgrade_filter.asp function.

AC-6 Least Privilege partial match

prevent

Reduces impact of successful command injection by enforcing least privilege on the low-privilege (PR:L) account or process handling the /upgrade_filter.asp endpoint.

Security SummaryAI

CVE-2026-0732 is a command injection vulnerability affecting the D-Link DI-8200G router running firmware version 17.12.20A1. The issue resides in an unknown function within the /upgrade_filter.asp file, where manipulation of the 'path' argument enables arbitrary command execution. Associated with CWE-74 (Improper Neutralization of Special Elements used in an SQL Command) and CWE-77 (Command Injection), it has a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), indicating medium severity.

The vulnerability can be exploited remotely by an attacker with low privileges (PR:L), requiring no user interaction and low attack complexity over the network. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, potentially enabling command execution on the device.

References include GitHub repositories detailing a proof-of-concept (PoC) for the command execution vulnerability and VulDB entries (ctiid.340129, id.340129, submit.733275) documenting the issue, though no specific patches or mitigation steps from vendor advisories are detailed in available sources.

The exploit has been made public and could be used, increasing the risk for unpatched D-Link DI-8200G devices.

Details

CWE(s): CWE-74 CWE-77

Affected Products

dlink

di-8200g firmware

17.12.20a1

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.008 Network Device CLI Execution

Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.

attack.mitre.org →

Why these techniques?

Command injection in web interface (/upgrade_filter.asp) of public-facing router enables exploitation of public-facing application (T1190) for arbitrary command execution on network device CLI (T1059.008).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/DavCloudz/cve/blob/main/D-link/DI_8200G/DI_8200G%20V17.12.20A1%20Command%20Execution%20Vulnerability/readme.md
Exploit, Third Party Advisory · cna@vuldb.com
https://github.com/DavCloudz/cve/blob/main/D-link/DI_8200G/DI_8200G%20V17.12.20A1%20Command%20Execution%20Vulnerability/readme.md#poc
Exploit, Third Party Advisory · cna@vuldb.com
https://vuldb.com/?ctiid.340129
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.340129
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.733275
Third Party Advisory, VDB Entry · cna@vuldb.com
https://www.dlink.com/
Product · cna@vuldb.com