{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-5844/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2026-5844"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["command-injection","d-link","router","cve-2026-5844"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-5844 describes a critical command injection vulnerability affecting D-Link DIR-882 routers running firmware version 1.01B02. The vulnerability resides in the \u003ccode\u003esprintf\u003c/code\u003e function within the \u003ccode\u003eprog.cgi\u003c/code\u003e script, specifically within the HNAP1 SetNetworkSettings Handler. A remote, unauthenticated attacker can exploit this flaw by manipulating the \u003ccode\u003eIPAddress\u003c/code\u003e argument, injecting arbitrary OS commands that are then executed with elevated privileges. The vulnerability is considered critical due to the potential for complete system compromise and the availability of a public exploit. This vulnerability impacts products that are no longer supported by the maintainer, increasing the risk for users who have not migrated to newer devices.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable D-Link DIR-882 router running firmware version 1.01B02.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a crafted HTTP request to the \u003ccode\u003eprog.cgi\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe HTTP request targets the HNAP1 SetNetworkSettings Handler.\u003c/li\u003e\n\u003cli\u003eThe attacker manipulates the \u003ccode\u003eIPAddress\u003c/code\u003e argument within the HTTP request, injecting malicious OS commands.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003esprintf\u003c/code\u003e function in \u003ccode\u003eprog.cgi\u003c/code\u003e processes the attacker-controlled \u003ccode\u003eIPAddress\u003c/code\u003e argument without proper sanitization.\u003c/li\u003e\n\u003cli\u003eThe injected OS commands are executed on the router\u0026rsquo;s operating system due to the command injection vulnerability in \u003ccode\u003esprintf\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker gains remote code execution on the router.\u003c/li\u003e\n\u003cli\u003eThe attacker can then perform actions such as modifying router settings, eavesdropping on network traffic, or using the router as a botnet node.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-5844 allows a remote attacker to execute arbitrary OS commands on the vulnerable D-Link DIR-882 router. This can lead to a complete compromise of the device, enabling attackers to reconfigure the router, intercept network traffic, or use the compromised device as part of a botnet. The vulnerability affects end-of-life products, meaning no official patches are available. The impact is significant due to the widespread use of these routers in home and small business networks, where they can act as a gateway to internal systems.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect D-Link DIR-882 Command Injection Attempt\u003c/code\u003e to detect suspicious requests to \u003ccode\u003eprog.cgi\u003c/code\u003e containing shell metacharacters.\u003c/li\u003e\n\u003cli\u003eBlock access to the URL \u003ccode\u003ehttps://files.catbox.moe/ei31k1.zip\u003c/code\u003e to prevent the download of the publicly available exploit (IOC).\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for HTTP requests to \u003ccode\u003eprog.cgi\u003c/code\u003e with unusually long \u003ccode\u003eIPAddress\u003c/code\u003e parameters (log source: webserver).\u003c/li\u003e\n\u003cli\u003eImplement network intrusion detection systems (IDS) rules to identify and block exploit attempts targeting CVE-2026-5844 (log source: network_connection).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-09T05:16:06Z","date_published":"2026-04-09T05:16:06Z","id":"/briefs/2026-04-dlink-command-injection/","summary":"A command injection vulnerability (CVE-2026-5844) exists in the D-Link DIR-882 router version 1.01B02, allowing a remote attacker to execute arbitrary OS commands by manipulating the IPAddress argument in the HNAP1 SetNetworkSettings Handler via the prog.cgi script.","title":"D-Link DIR-882 Remote Command Injection Vulnerability (CVE-2026-5844)","url":"https://feed.craftedsignal.io/briefs/2026-04-dlink-command-injection/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-5844","version":"https://jsonfeed.org/version/1.1"}