CVE-2026-3485

CriticalPublic PoC

Published: 03 March 2026

Published

03 March 2026

Modified

04 March 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0046 64.2th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

A flaw has been found in D-Link DIR-868L 110b03. This affects the function sub_1BF84 of the component SSDP Service. This manipulation of the argument ST causes os command injection. It is possible to initiate the attack remotely. The exploit has…

been published and may be used. This vulnerability only affects products that are no longer supported by the maintainer.

Mitigating Controls (NIST 800-53 r5)AI

SA-22 Unsupported System Components good match

prevent

Prohibits use of unsupported system components like the end-of-life D-Link DIR-868L firmware with no patches available for this command injection vulnerability.

SI-10 Information Input Validation good match

prevent

Requires validation of untrusted inputs such as the SSDP ST argument to directly prevent OS command injection exploits.

SI-2 Flaw Remediation partial match

prevent

Mandates timely flaw remediation, which for this unpatchable EOL vulnerability necessitates device replacement or isolation.

Security SummaryAI

CVE-2026-3485 is an OS command injection vulnerability (CWE-77, CWE-78) in the SSDP Service component of D-Link DIR-868L firmware version 110b03. The flaw affects the function sub_1BF84, where manipulation of the ST argument triggers command injection. It carries a CVSS 3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and was published on 2026-03-03.

Attackers can exploit this vulnerability remotely without authentication, privileges, or user interaction. Successful exploitation allows arbitrary OS command execution, potentially leading to full compromise of the device with high impacts on confidentiality, integrity, and availability.

Advisories note that this vulnerability only affects products no longer supported by the maintainer, with no patches available. Detailed exploit information is published on sites like the kn0sinna Notion page and VulDB entries, and practitioners should consult the D-Link website for any general guidance on end-of-life devices.

An exploit has been published and may be used in the wild against vulnerable, unsupported D-Link DIR-868L routers.

Details

CWE(s): CWE-77 CWE-78

Affected Products

dlink

dir-868l firmware

110b03

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1210 Exploitation of Remote Services Lateral Movement

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

The vulnerability is a remote OS command injection in the public-facing SSDP service (T1190, T1210), enabling arbitrary Unix shell command execution (T1059.004) without authentication.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://kn0sinna.notion.site/dlink-dir-868l-ssdp-command-injection-30eb1876cd6e80caa691de6fe5cab59c
Exploit, Third Party Advisory · cna@vuldb.com
https://vuldb.com/?ctiid.348560
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.348560
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.764759
Third Party Advisory, VDB Entry · cna@vuldb.com
https://www.dlink.com/
Product · cna@vuldb.com