A critical access control flaw has been identified in the D-Link DIR-823G firmware version 1.0.2B05, enabling unauthenticated remote attackers to manipulate core router configuration functions through the embedded GoAhead web server, and no patch will ever be issued.
D-Link DIR-823G Flaw
CVE-2026-4193 is a publicly disclosed improper access control vulnerability affecting the D-Link DIR-823G router running firmware version 1.0.2B05. The flaw was officially published on March 15, 2026, and most recently updated on April 7, 2026, with NIST assigning a CVSS v3.1 base score of 7.5 (HIGH).
The exploit is already made available in a public GitHub repository, meaning any motivated attacker can readily weaponize it. At its core, the vulnerability stems from the absence of proper authentication enforcement in the GoAhead web server component bundled with the router’s firmware.
GoAhead is a lightweight, embedded web server commonly found in consumer-grade networking devices, particularly older D-Link and TP-Link hardware. When access control logic is incorrectly or incompletely implemented in GoAhead’s function handlers, unauthorized parties can directly invoke sensitive API endpoints without valid credentials.
Affected Functions and Attack Surface
The sheer breadth of the affected function set is what makes CVE-2026-4193 particularly alarming. The vulnerability is present across more than 25 distinct API functions within the goahead component, covering virtually every administrative operation on the router:
- Information retrieval:
GetDDNSSettings,GetDeviceDomainName,GetDeviceSettings,GetDMZSettings,GetFirewallSettings,GetGuestNetworkSettings,GetLanWanConflictInfo,GetLocalMacAddress,GetNetworkSettings,GetQoSSettings,GetRouterInformationSettings,GetRouterLanSettings,GetWanSettings - Configuration modification:
SetAccessCtlList,SetAccessCtlSwitch,SetDeviceSettings,SetGuestWLanSettings,SetIPv4FirewallSettings,SetNetworkSettings,SetNetworkTomographySettings,SetNTPServerSettings,SetRouterLanSettings,SetStaticClientInfo,SetStaticRouteSettings,SetWLanRadioSecurity,SetWPSSettings,UpdateClientInfo
An unauthenticated remote attacker can leverage these endpoints to read sensitive device configurations, modify firewall rules, manipulate access control lists, alter WPS and wireless security settings, change LAN/WAN topology, or update static client and routing entries, all without presenting any login credentials or triggering user interaction.
| CVSS Version | Score | Severity | Vector Summary |
|---|---|---|---|
| CVSSv2 | 7.5 | HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
| CVSSv3.0 | 7.3 | HIGH | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L |
| CVSSv3.1 | 7.3 | HIGH | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L |
| CVSSv3.1 | 7.5 | HIGH | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
| CVSSv4.0 | 6.9 | MEDIUM | AV:N/AC:L/AT:N/PR:N/UI:N |
The network-based attack vector (AV: N), low attack complexity (AC:L), no privilege requirement (PR: N), and no user interaction (UI: N) collectively indicate that this vulnerability is trivially exploitable over the internet with minimal technical skill.
The EPSS score currently sits at 0.09%, placing the vulnerability approximately at the 25th percentile for exploitation probability over the next 30 days. However, the public availability of a proof-of-concept exploit can rapidly raise that figure.
CWE Classification
The vulnerability maps to two CWE identifiers:
- CWE-266 (Incorrect Privilege Assignment): The product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control in this case, granting unauthenticated users access to privileged configuration APIs.
- CWE-284 (Improper Access Control): The product fails to restrict access to a resource, or incorrectly restricts access to it, from an unauthorized actor. Here, the go-ahead component does not enforce authentication before processing sensitive configuration requests.
End-of-Life Status and D-Link’s Position
D-Link has officially confirmed that the DIR-823G reached its End of Life (EOL) and End of Service Life (EOS) on February 10, 2020, for all hardware revisions and all regions. The company’s security advisory explicitly states that no fixed firmware will be made available and recommends users retire and replace affected devices immediately.
This is consistent with D-Link’s documented policy for legacy products, which receive no further security patches or software updates after EOL.
The exploit proof-of-concept is publicly documented in a GitHub repository maintained by a researcher wudipjq, covering multiple vulnerabilities in the DIR-823G series (references: vuln_91/91.md and vuln_92/92.md).
Recommended Mitigations
Since no official patch exists or will be released, affected organizations and individual users must rely on compensating controls:
- Replace the device immediately with a currently supported router model from any vendor
- Disable remote management on the WAN interface if replacement is temporarily delayed
- Place the device behind a firewall that blocks HTTP/HTTPS access to the router’s management interface from untrusted networks.
- Segment the network to limit the blast radius if the device is compromised
- Monitor for unauthorized configuration changes, including DNS hijacking, firewall rule modifications, and rogue static routes
FAQs
Q1: What is CVE-2026-4193? A publicly disclosed improper access control flaw in D-Link DIR-823G firmware 1.0.2B05, allowing unauthenticated remote attackers to manipulate over 25 router configuration functions via the goahead web server component.
Q2: Is a patch available for CVE-2026-4193? No, D-Link officially declared the DIR-823G end-of-life in February 2020 and will not release any firmware updates or security fixes for this vulnerability.
Q3: How severe is CVE-2026-4193? It carries a CVSS v3.1 score of 7.5 (HIGH) from NIST, requires no authentication or user interaction, and has a publicly available proof-of-concept exploit on GitHub.
Q4: What should DIR-823G users do immediately? Replace the device with a supported router, restrict WAN-facing management access, and isolate the device from critical network segments until replacement is possible.
Site: thecybrdef.com
Reference:
About the Author
