Cyber Posture

CVE-2026-4203

MediumPublic PoC

Published: 16 March 2026

Published
16 March 2026
Modified
19 March 2026
KEV Added
Patch
CVSS Score 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.0010 27.9th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Description

A vulnerability was detected in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20260205. Impacted is the function cgi_portforwarding_add/cgi_portforwarding_del/cgi_portforwarding_modify/cgi_portforwarding_add_scan/cgi_dhcpd_lease/cgi_ddns/cgi_ip/cgi_dhcpd of the file /cgi-bin/network_mgr.cgi. The…

more

manipulation results in command injection. The attack may be launched remotely. The exploit is now public and may be used.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

SI-10 directly and comprehensively prevents command injection by validating and sanitizing user inputs to the vulnerable CGI functions like cgi_portforwarding_add.

SI-2 Flaw Remediation good match
preventrecover

SI-2 ensures timely identification, reporting, and patching of the command injection flaw in affected D-Link NAS firmware versions.

RA-5 Vulnerability Monitoring and Scanning good match
detectrespond

RA-5 enables regular vulnerability scanning to detect the presence of CVE-2026-4203 in deployed D-Link NAS devices and initiate remediation.

Security SummaryAI

CVE-2026-4203 is a command injection vulnerability (CWE-74, CWE-77) affecting multiple D-Link NAS devices, including DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05, and DNS-1550-04, up to firmware version 20260205. The flaw exists in the functions cgi_portforwarding_add, cgi_portforwarding_del, cgi_portforwarding_modify, cgi_portforwarding_add_scan, cgi_dhcpd_lease, cgi_ddns, cgi_ip, and cgi_dhcpd within the /cgi-bin/network_mgr.cgi component.

An attacker can exploit this vulnerability remotely over the network with low privileges (PR:L), low attack complexity (AC:L), and no user interaction required. Exploitation enables limited impacts on confidentiality, integrity, and availability (C:L/I:L/A:L), as reflected in its CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).

Advisories and technical details are documented in VulDB entries (ctiid.351115, id.351115, submit.770401) and GitHub repositories at https://github.com/wudipjq/my_vuln/blob/main/D-Link8/vuln_122/122.md and https://github.com/wudipjq/my_vuln/blob/main/D-Link8/vuln_123/123.md, which may include mitigation guidance.

The exploit is publicly available, facilitating potential widespread use against vulnerable devices.

Details

CWE(s)
CWE-74CWE-77

Affected Products

dlink
dnr-202l firmware
≤ 2026-02-05
dlink
dnr-326 firmware
≤ 2026-02-05
dlink
dns-1100-4 firmware
≤ 2026-02-05
dlink
dns-120 firmware
≤ 2026-02-05
dlink
dns-1200-05 firmware
≤ 2026-02-05
dlink
dns-1550-04 firmware
≤ 2026-02-05
dlink
dns-315l firmware
≤ 2026-02-05
dlink
dns-320 firmware
≤ 2026-02-05
dlink
dns-320l firmware
≤ 2026-02-05
dlink
dns-320lw firmware
≤ 2026-02-05
+10 more product configuration(s) — see NVD for full list

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
attack.mitre.org →
Why these techniques?

Command injection in public-facing CGI endpoints on network devices enables exploitation of public-facing applications (T1190) and execution via Unix shell (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References