CVE-2026-4207

CVE-2026-4207 is a command injection vulnerability affecting multiple D-Link Network Attached Storage (NAS) devices, including DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05, and DNS-1550-04, with firmware versions up to 20260205. The issue resides in the cgi_device, cgi_sms_test, cgi_firmware_upload, and cgi_ntp_time functions within the /cgi-bin/system_mgr.cgi file, classified under CWE-74 and CWE-77. It carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).

The vulnerability can be exploited remotely by an attacker with low privileges (PR:L), requiring low attack complexity and no user interaction. Successful manipulation leads to command injection, potentially granting limited impacts on confidentiality, integrity, and availability (C:L/I:L/A:L). The exploit has been publicly disclosed, increasing the risk of exploitation against exposed devices.

References include GitHub repositories (https://github.com/wudipjq/my_vuln/blob/main/D-Link8/vuln_141/141.md and https://github.com/wudipjq/my_vuln/blob/main/D-Link8/vuln_142/142.md) detailing the vulnerability, along with VulDB entries (https://vuldb.com/?ctiid.351119, https://vuldb.com/?id.351119, https://vuldb.com/?submit.770420). No specific patch or mitigation details are outlined in the available information.

The public disclosure of the exploit underscores the need for immediate firmware updates where available and network segmentation for affected D-Link NAS devices.