OS Command Injection Vulnerability in D-Link DIR-825 and DIR-825R Routers
CVE-2026-4627

8.6HIGH

Key Information:

Vendor: D-link
Status: Dir-825; Dir-825r
Vendor: CVE Published:; 24 March 2026

What is CVE-2026-4627?

A vulnerability exists in the D-Link DIR-825 and DIR-825R routers within the handler_update_system_time function of the NTP Service. This flaw allows remote attackers to execute arbitrary operating system commands through crafted inputs due to inadequate sanitization. Notably, this issue is critical for devices that are no longer supported by D-Link, leaving those routers vulnerable to exploitation.

Affected Version(s)

DIR-825 1.0.5

DIR-825 4.5.1

DIR-825R 1.0.5

References

https://vuldb.com/?id.352495

vdb-entrytechnical-description

https://vuldb.com/?ctiid.352495

signaturepermissions-required

https://vuldb.com/?submit.775794

third-party-advisory

CVSS V4

Score:

8.6

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 24, 2026
Vulnerability Reserved
Mar 23, 2026

Credit

1935648903 (VulDB User)

VulDB

CVE-2026-4627 Data

JSON

D-link

What is CVE-2026-4627?

Affected Version(s)

References

CVSS V4

Timeline

Credit