Affected Version D-Link DIR-823X v250416 Vulnerability Description The D-Link DIR-823X router is susceptible to a Remote Command Injection vulnerability via the /goform/set_upnp endpoint. The flaw exists in the backend function sub_420618, which fails to adequately filter the newline character (\n or 0x0A) when handling the upnp_enable parameter. An authenticated attacker can inject arbitrary shell commands by using a newline to terminate the intended UCI configuration command and initiate a malicious instruction. These commands are subsequently executed with root privileges. Vulnerability Details Step 1: Parameter Extraction (Source) Step 2: Ineffective Validation (Bypass) Step 3: Command Construction & Execution (Sink) Proof of Concept (PoC) [PoC code is provided in the screenshot] Suggested Repair 1. Strict Whitelisting: Use regular expressions to ensure the upnp_enable parameter contains only valid numeric characters (0 or 1). 2. Comprehensive Blacklisting: Update the filter in sub_414F44 to explicitly reject newline characters (\n, \r) and other shell metacharacters such as $, `, and . 3. Native API Integration: Replace shell-based execution (calls to /sbin/uci) with native C libraries like libuci to handle configuration changes without invoking a command-line interpreter. 4. Input Format Validation: Implement logic to verify the exact expected format; if input contains unexpected characters, the request should be terminated immediately.