D-Link DIR-822 A_101 Command Injection (CVE-2026-7067) in udhcpd
The National Vulnerability Database has disclosed CVE-2026-7067, a high-severity command injection vulnerability impacting D-Link DIR-822 A_101 routers. This flaw resides in the udhcpd DHCP Service component, specifically within the system function of the /udhcpcd/dhcpd.c file. Attackers can trigger this vulnerability remotely by manipulating the Hostname argument.
This is a critical issue as command injection allows attackers to execute arbitrary code on the affected device. The National Vulnerability Database notes that an exploit for this vulnerability has been publicly disclosed, increasing the immediate risk. Defenders should assume active exploitation is a possibility.
Crucially, this vulnerability only affects D-Link products that are no longer supported by the maintainer. This means there will be no official patches, leaving affected devices permanently vulnerable to remote attacks if they remain in service.
What This Means For You
- If your organization or home network uses a D-Link DIR-822 A_101 router, you are running an end-of-life, unpatchable device with a publicly disclosed remote command injection vulnerability. This is a severe security risk. You must immediately replace these devices, as they will be a permanent backdoor into your network.
Related ATT&CK Techniques
🛡️ Detection Rules
2 rules · 6 SIEM formats2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-7067 D-Link DIR-822 Command Injection in udhcpd Hostname
title: CVE-2026-7067 D-Link DIR-822 Command Injection in udhcpd Hostname
id: scw-2026-04-27-ai-1
status: experimental
level: critical
description: |
Detects attempts to exploit CVE-2026-7067 in D-Link DIR-822 A_101 devices. This rule specifically looks for the 'hostname=' parameter within a URI path that suggests interaction with the udhcpd service, a known indicator of this command injection vulnerability. The attack targets the Hostname argument in dhcpd.c, allowing remote code execution.
author: SCW Feed Engine (AI-generated)
date: 2026-04-27
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-7067/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri-query|contains:
- 'hostname='
cs-uri|contains:
- '/udhcpcd/'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-7067 | Command Injection | D-Link DIR-822 A_101 |
| CVE-2026-7067 | Command Injection | udhcpd DHCP Service component |
| CVE-2026-7067 | Command Injection | Vulnerable function: system in /udhcpcd/dhcpd.c |
| CVE-2026-7067 | Command Injection | Manipulation of argument: Hostname |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | April 27, 2026 at 03:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
itSourceCode Courier Management System SQLi: CVE-2026-7076
CVE-2026-7076 — A vulnerability was determined in itsourcecode Courier Management System 1.0. Impacted is an unknown function of the file /edit_branch.php. Executing a manipulation of...
itsourcecode Construction Management System SQLi (CVE-2026-7075)
CVE-2026-7075 — A vulnerability was found in itsourcecode Construction Management System 1.0. This issue affects some unknown processing of the file /locations.php. Performing a manipulation...
CVE-2026-7074: SQL Injection in Construction Management System 1.0
CVE-2026-7074 — A vulnerability has been found in itsourcecode Construction Management System 1.0. This vulnerability affects unknown code of the file /execute1.php. Such manipulation of...