CVE-2026-4499

HighPublic PoC

Published: 20 March 2026

Published

20 March 2026

Modified

03 April 2026

KEV Added

—

Patch

—

CVSS Score 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0041 61.2th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

A vulnerability was determined in D-Link DIR-820LW 2.03. Affected is the function ssdpcgi_main of the component SSDP. Executing a manipulation can lead to os command injection. The attack may be launched remotely. The exploit has been publicly disclosed and may…

be utilized.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly prevents OS command injection by validating and sanitizing inputs to the ssdpcgi_main function, blocking manipulation via the HTTP_ST environment variable.

SI-2 Flaw Remediation good match

prevent

Remediates the specific command injection flaw in the SSDP component through timely identification, reporting, and patching of the D-Link DIR-820LW firmware.

SC-7 Boundary Protection partial match

prevent

Boundary protection limits remote network access to the vulnerable SSDP CGI service, reducing opportunities for unauthenticated exploitation.

Security SummaryAI

CVE-2026-4499 is an OS command injection vulnerability affecting the ssdpcgi_main function within the SSDP component of D-Link DIR-820LW firmware version 2.03. Published on 2026-03-20, it stems from CWE-77 and CWE-78 weaknesses, where manipulation of inputs leads to arbitrary command execution.

The vulnerability is exploitable remotely over the network (AV:N) with low attack complexity (AC:L), requiring no privileges (PR:N) or user interaction (UI:N), and maintaining unchanged scope (S:U). Attackers can achieve low impacts on confidentiality, integrity, and availability (C:L/I:L/A:L), as reflected in its CVSS v3.1 base score of 7.3. The exploit has been publicly disclosed and is available for use.

Advisories and details are documented across multiple sources, including GitHub repositories hosting the exploit ZIP file and issue trackers, as well as VulDB entries (ctiid.352055, id.352055, submit.773883), which confirm the remote OS command injection via the HTTP_ST environment variable in the ssdpcgi_main function. No specific patch details are outlined in the provided information.

Details

CWE(s): CWE-77 CWE-78

Affected Products

dlink

dir-820lw firmware

2.03

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.008 Network Device CLI Execution

Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.

attack.mitre.org →

Why these techniques?

Remote unauthenticated OS command injection in SSDP CGI enables exploitation of public-facing application (T1190) and command execution on network device (T1059.008).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/user-attachments/files/25790888/OS.Command.Injection.in.D-Link.DIR-820LW.B2.03.via.the.HTTP_ST.environment.variable.in.ssdpcgi_main.function.zip
Exploit · cna@vuldb.com
https://github.com/yunleeeee/cve/issues/1
Exploit · cna@vuldb.com
https://vuldb.com/?ctiid.352055
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.352055
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.773883
Third Party Advisory, VDB Entry · cna@vuldb.com
https://www.dlink.com/
Product · cna@vuldb.com