MEDIUM 4.3

CVE-2026-11492: D-Link DIR-823G Privilege Escalation in vsftpd Configuration

A vulnerability in the D-Link DIR-823G router (firmware version 1.0.2B05) allows an authenticated attacker to modify the vsftpd configuration file in a way that violates least privilege protections. The flaw can be exploited remotely by someone with valid login credentials. While the barrier to entry requires authentication, the impact is a privilege escalation that could allow an attacker to exceed their intended access level on the device.

Source data · NVD / CISA · public domain

CVSS
3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Weaknesses (CWE)
CWE-266, CWE-272
Affected products
2 configuration(s)
Published / Modified
2026-06-08 / 2026-06-17

NVD description (verbatim)

A security flaw has been discovered in D-Link DIR-823G 1.0.2B05. The affected element is an unknown function of the file /etc/vsftpd.conf of the component vsftpd. Performing a manipulation results in least privilege violation. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks.

6 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-11492 is a privilege escalation vulnerability affecting D-Link DIR-823G firmware 1.0.2B05. The flaw exists in vsftpd (Very Secure FTP Daemon) configuration handling, specifically in how the /etc/vsftpd.conf file is managed. An authenticated remote attacker can manipulate this configuration file to bypass privilege restrictions (CWE-266: Improper Privilege Management; CWE-272: Improper Privilege Dropping). The vulnerability requires valid credentials to initiate but can result in unauthorized privilege elevation within the device's FTP service context. CVSS v3.1 base score is 4.3 (Medium severity), reflecting the need for authentication but the integrity impact of privilege violation.

Business impact

For organizations relying on D-Link DIR-823G routers, this vulnerability could allow an attacker with valid credentials—such as a disgruntled employee, leaked account, or compromised user—to escalate privileges and potentially manipulate FTP service permissions. This could expose sensitive files accessible via FTP, enable lateral movement within the network, or allow unauthorized configuration changes. In environments where the router serves as a file transfer gateway or hosts backup content, privilege escalation poses a data confidentiality and integrity risk. The public availability of exploit code increases operational risk.

Affected systems

D-Link DIR-823G routers running firmware version 1.0.2B05 are confirmed affected. Organizations should verify whether this firmware version is deployed in their network infrastructure. The DIR-823G is a mid-range wireless router commonly used in SMB and enterprise edge deployments. Verify your installed firmware version via the device web interface (typically accessible at 192.168.0.1) under system settings or device information.

Exploitability

The vulnerability carries moderate exploitability barriers: an attacker must first obtain valid authentication credentials (username and password) to log into the router. However, once authenticated, the attack itself is straightforward—manipulating the vsftpd.conf file does not require special techniques or timing. The fact that proof-of-concept code is publicly available means the technical execution is well-documented and reproducible. Organizations with weak credential hygiene, default credentials still in use, or shared administrative accounts face elevated risk.

Remediation

Firmware updates addressing this vulnerability should be available from D-Link. Check the D-Link support website for DIR-823G firmware updates newer than 1.0.2B05. Apply patches promptly, testing in a non-production environment first if possible. As an interim mitigation, restrict administrative access to the router's web interface using network segmentation, IP allowlisting, or disabling remote management features. Review and audit FTP user permissions manually to detect any unauthorized privilege escalations. Disable vsftpd entirely if FTP functionality is not required.

Patch guidance

Verify the latest firmware available for D-Link DIR-823G on the official D-Link support portal. Firmware updates should be applied via the router's web interface (Administration > System Settings > Firmware Upgrade) or via a direct download and manual upload if the web interface is unavailable. Ensure network connectivity is stable during the update process. After upgrading, power-cycle the device and confirm the new firmware version is active. Document the pre- and post-patch configuration to catch any unexpected changes. Test critical services (FTP, web access, routing) post-patch to ensure normal operation.

Detection guidance

Monitor FTP service logs on the router for unauthorized privilege escalation attempts or configuration file modifications. Look for unexpected changes to /etc/vsftpd.conf timestamps and ownership. Use SSH access (if enabled) to audit the vsftpd configuration and verify it matches a known-good baseline. Network-level detection is difficult without FTP traffic inspection; however, monitor authentication failures and successful logins from unexpected source IPs. Regularly compare the running vsftpd configuration against a documented baseline to catch unauthorized changes post-compromise.

Why prioritize this

While the CVSS score of 4.3 is technically Medium severity, the combination of public exploit code, the prevalence of the DIR-823G in production networks, and the authentication requirement makes this a moderate-priority patch. Organizations with weak credential management or the router exposed to untrusted networks should prioritize this higher. The integrity impact on FTP service configuration could enable downstream attacks or data exposure. However, the requirement for valid credentials prevents this from being a critical threat to networks with strong access controls.

Risk score, explained

The CVSS 3.1 score of 4.3 reflects: Attack Vector (Network) indicates remote exploitation capability; Attack Complexity (Low) means no special conditions are required; Privileges Required (Low) acknowledges that authentication is necessary; User Interaction (None) confirms the attacker does not need victim action; Scope (Unchanged) keeps the impact within the FTP service; Confidentiality (None) indicates no data confidentiality loss in the base score; Integrity (Low) captures the ability to modify FTP configuration; and Availability (None) indicates no service disruption. The score appropriately balances the authentication barrier against the privilege escalation impact.

Frequently asked questions

Does this vulnerability affect my organization if FTP is disabled on the router?

No. If vsftpd is not running or FTP access is disabled on your D-Link DIR-823G, this vulnerability has no practical impact. However, we recommend verifying that vsftpd is explicitly disabled in the configuration, not merely unused, to avoid accidental re-enablement during firmware updates or configuration changes.

Can this vulnerability be exploited without valid router credentials?

No. The vulnerability requires an attacker to already have valid administrative credentials to access the router's configuration interface. However, if your router uses default credentials (common in pre-configured devices), your risk is significantly higher. Change all default credentials immediately.

Is this vulnerability being actively exploited in the wild?

The vulnerability is not currently tracked in the CISA KEV catalog, indicating no confirmed active exploitation at scale as of the latest update. However, public proof-of-concept code is available, so exploitation could begin at any time. Treat this as a proactive patch priority rather than an emergency response.

What should I do if I cannot update firmware immediately?

Implement network segmentation to limit access to the router's management interface. Disable remote management if possible, restricting configuration access to local connections only. Audit and change all router administrative credentials. Disable FTP if it is not required. Monitor authentication logs closely for unauthorized access attempts. Plan a firmware update within a defined maintenance window.

This analysis is provided for informational purposes and reflects the state of vulnerability information as of the publication date. Vendor advisory details, patch availability, and affected version specifics should be verified directly with D-Link support. Organizations should conduct their own risk assessment based on their network environment, user credentials practices, and FTP service reliance. No exploit code, weaponized proof-of-concept, or attack tooling is provided herein. Security decisions should involve consultation with qualified security personnel and alignment with organizational policy. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).