CVE-2026-3485 CRITICAL

CVE-2026-3485: D-Link DIR-868L SSDP Service sub_1BF84 os command injection

Vendor D-Link

Product DIR-868L

Weakness CWE-78

Published March 3, 2026

Last update March 3, 2026

View on NVD All CVEs

CVSS base score

9.3/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

What the vulnerability does

01Description

A flaw has been found in D-Link DIR-868L 110b03. This affects the function sub_1BF84 of the component SSDP Service. This manipulation of the argument ST causes os command injection. It is possible to initiate the attack remotely. The exploit has been published and may be used. This vulnerability only affects products that are no longer supported by the maintainer.

Key dates

02Disclosure timeline

March 3, 2026 CVE published

March 3, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-3485 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/78.html

Related vulnerabilities

CVE-2026-3485: D-Link DIR-868L SSDP Service sub_1BF84 os command injection

01Description

02Disclosure timeline

03References

04Related CVE