CVE-2026-2193
Published: 08 February 2026
Description
Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.
Security Summary
CVE-2026-2193 is a command injection vulnerability affecting the D-Link DI-7100G C1 router running firmware version 24.04.18D1. The issue resides in the set_jhttpd_info function, where manipulation of the usb_username argument enables attackers to inject arbitrary commands. This flaw, associated with CWE-74 and CWE-77, carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), indicating medium severity with network accessibility and low complexity.
An attacker with low privileges, such as an authenticated user, can exploit this vulnerability remotely without user interaction. Successful exploitation allows limited impacts on confidentiality, integrity, and availability through command injection, potentially enabling unauthorized command execution on the device.
Advisories detailing the vulnerability are available from sources including VulDB (ctiid.344896, id.344896, submit.749803) and a GitHub repository on IoT vulnerabilities. Vendor guidance can be found at dlink.com, where security practitioners should consult for any recommended patches or mitigation steps.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Command injection vulnerability in router web interface enables remote exploitation of services (T1210) and arbitrary command execution akin to network device CLI abuse (T1059.008).