Cyber Posture

CVE-2026-4205

MediumPublic PoC

Published: 16 March 2026

Published
16 March 2026
Modified
19 March 2026
KEV Added
Patch
CVSS Score 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.0022 44.0th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Description

A vulnerability has been found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20260205. The impacted element is the function cgi_refresh_db/FTP_Server_BlockIP_Add/FTP_Server_BlockIP_Del of the…

more

file /cgi-bin/app_mgr.cgi. Such manipulation leads to command injection. The attack can be executed remotely. The exploit has been disclosed to the public and may be used.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly prevents command injection by requiring validation and sanitization of inputs to vulnerable CGI functions like FTP_Server_BlockIP_Add in app_mgr.cgi.

SI-2 Flaw Remediation good match
prevent

Mandates timely remediation of the specific command injection flaw in affected D-Link NAS firmware up to version 20260205.

AC-6 Least Privilege partial match
prevent

Enforces least privilege on processes handling CGI requests to limit the scope and impact of injected commands.

Security SummaryAI

CVE-2026-4205 is a command injection vulnerability affecting multiple D-Link network-attached storage (NAS) devices, including models DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05, and DNS-1550-04 running firmware up to version 20260205. The flaw exists in the cgi_refresh_db/FTP_Server_BlockIP_Add/FTP_Server_BlockIP_Del functions within the /cgi-bin/app_mgr.cgi file.

The vulnerability can be exploited remotely over the network by an attacker with low privileges, requiring low attack complexity and no user interaction. Exploitation enables command injection, resulting in limited impacts to confidentiality, integrity, and availability, as reflected in its CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L). The exploit has been publicly disclosed.

Advisories and additional details are documented in references such as GitHub repositories at https://github.com/wudipjq/my_vuln/blob/main/D-Link8/vuln_131/131.md and https://github.com/wudipjq/my_vuln/blob/main/D-Link8/vuln_132/132.md, as well as VulDB entries at https://vuldb.com/?ctiid.351117, https://vuldb.com/?id.351117, and https://vuldb.com/?submit.770410. No specific patch or mitigation guidance is detailed in the provided information.

Details

CWE(s)
CWE-74CWE-77

Affected Products

dlink
dnr-202l firmware
≤ 2026-02-05
dlink
dnr-326 firmware
≤ 2026-02-05
dlink
dns-1100-4 firmware
≤ 2026-02-05
dlink
dns-120 firmware
≤ 2026-02-05
dlink
dns-1200-05 firmware
≤ 2026-02-05
dlink
dns-1550-04 firmware
≤ 2026-02-05
dlink
dns-315l firmware
≤ 2026-02-05
dlink
dns-320 firmware
≤ 2026-02-05
dlink
dns-320l firmware
≤ 2026-02-05
dlink
dns-320lw firmware
≤ 2026-02-05
+10 more product configuration(s) — see NVD for full list

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
attack.mitre.org →
Why these techniques?

Command injection vulnerability in web CGI interface of network-exposed NAS devices enables exploitation of public-facing applications (T1190) and Unix shell command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References