Cyber Posture

CVE-2026-4210

MediumPublic PoC

Published: 16 March 2026

Published
16 March 2026
Modified
19 March 2026
KEV Added
Patch
CVSS Score 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.0013 31.3th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Description

A security flaw has been discovered in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20260205. Affected by this vulnerability is the function cgi_tm_set_share…

more

of the file /cgi-bin/time_machine.cgi. The manipulation of the argument Name results in command injection. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly prevents command injection by requiring validation of the manipulated 'Name' argument in the cgi_tm_set_share function of time_machine.cgi.

SI-2 Flaw Remediation good match
prevent

Requires timely identification, reporting, and correction of the specific command injection flaw in affected D-Link NAS firmware versions up to 20260205.

RA-5 Vulnerability Monitoring and Scanning good match
prevent

Enables scanning for this publicly disclosed CVE to identify vulnerable D-Link NAS devices and prioritize remediation before exploitation.

Security SummaryAI

CVE-2026-4210 is a command injection vulnerability (CWE-74, CWE-77) discovered in multiple D-Link NAS devices, including DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05, and DNS-1550-04, with firmware versions up to 20260205. The issue affects the cgi_tm_set_share function in the /cgi-bin/time_machine.cgi file, where manipulation of the "Name" argument triggers the injection.

The vulnerability has a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) and can be exploited remotely by an attacker with low privileges. Exploitation enables limited impacts on confidentiality, integrity, and availability, such as arbitrary command execution on the affected device.

Advisories and further details, including the publicly released exploit, are documented on VulDB (ctiid.351121, id.351121, submit.770440) and a GitHub repository at https://github.com/wudipjq/my_vuln/blob/main/D-Link8/vuln_159/159.md, with a general reference to the D-Link website at https://www.dlink.com/. Specific mitigation or patch guidance is not detailed in the CVE description.

The public availability of the exploit heightens the risk of real-world attacks against unpatched devices.

Details

CWE(s)
CWE-74CWE-77

Affected Products

dlink
dnr-202l firmware
≤ 2026-02-05
dlink
dnr-326 firmware
≤ 2026-02-05
dlink
dns-1100-4 firmware
≤ 2026-02-05
dlink
dns-120 firmware
≤ 2026-02-05
dlink
dns-1200-05 firmware
≤ 2026-02-05
dlink
dns-1550-04 firmware
≤ 2026-02-05
dlink
dns-315l firmware
≤ 2026-02-05
dlink
dns-320 firmware
≤ 2026-02-05
dlink
dns-320l firmware
≤ 2026-02-05
dlink
dns-320lw firmware
≤ 2026-02-05
+10 more product configuration(s) — see NVD for full list

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
attack.mitre.org →
Why these techniques?

Command injection in web CGI endpoint (cgi_tm_set_share) on network-exposed NAS devices enables exploitation of public-facing application (T1190) for arbitrary Unix shell command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References