CVE-2026-4209

CVE-2026-4209 is a command injection vulnerability affecting multiple D-Link network-attached storage (NAS) devices, including models DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05, and DNS-1550-04 running firmware up to version 20260205. The flaw exists in multiple functions within the /cgi-bin/account_mgr.cgi file, such as cgi_create_import_users, cgi_user_batch_create, cgi_user_set_quota, cgi_user_del, cgi_user_modify, cgi_group_set_quota, cgi_group_modify, cgi_group_add, cgi_user_add, cgi_get_modify_group_info, and cgi_chg_admin_pw. It is classified under CWE-74 and CWE-77, with a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).

The vulnerability enables remote exploitation by an attacker with low privileges (PR:L), who can manipulate inputs to the affected CGI endpoints to inject and execute arbitrary commands on the device. Successful exploitation could result in limited impacts to confidentiality, integrity, and availability, such as unauthorized data access, modification, or disruption of services. A public exploit is available, heightening the risk for exposed devices.

Advisories and details are available via VulDB (ctiid.351120, id.351120, submit.770429) and GitHub repositories documenting the vulnerabilities (wudipjq/my_vuln D-Link8/vuln_148/148.md and vuln_149/149.md), which may provide further guidance on identification and remediation.

The public availability of an exploit underscores the potential for real-world attacks against unpatched D-Link NAS deployments still running vulnerable firmware.