CVE-2026-4195
Remote Command Injection in D-Link DNS Series via wizard_mgr.cgi
Publication date: 2026-03-16
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dlink | dnr-202l_firmware | to 2026-02-05 (inc) |
| dlink | dnr-326_firmware | to 2026-02-05 (inc) |
| dlink | dns-1100-4_firmware | to 2026-02-05 (inc) |
| dlink | dns-120_firmware | to 2026-02-05 (inc) |
| dlink | dns-1200-05_firmware | to 2026-02-05 (inc) |
| dlink | dns-1550-04_firmware | to 2026-02-05 (inc) |
| dlink | dns-315l_firmware | to 2026-02-05 (inc) |
| dlink | dns-320_firmware | to 2026-02-05 (inc) |
| dlink | dns-320l_firmware | to 2026-02-05 (inc) |
| dlink | dns-320lw_firmware | to 2026-02-05 (inc) |
| dlink | dns-321_firmware | to 2026-02-05 (inc) |
| dlink | dns-322l_firmware | to 2026-02-05 (inc) |
| dlink | dns-323_firmware | to 2026-02-05 (inc) |
| dlink | dns-325_firmware | to 2026-02-05 (inc) |
| dlink | dns-326_firmware | to 2026-02-05 (inc) |
| dlink | dns-327l_firmware | to 2026-02-05 (inc) |
| dlink | dns-340l_firmware | to 2026-02-05 (inc) |
| dlink | dns-343_firmware | to 2026-02-05 (inc) |
| dlink | dns-345_firmware | to 2026-02-05 (inc) |
| dlink | dns-726-4_firmware | to 2026-02-05 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-4195 is a command injection vulnerability affecting multiple D-Link NAS devices in their firmware up to version 20260205. The flaw exists in the /cgi-bin/wizard_mgr.cgi file, specifically in the cgi_wizard function, where several parameters such as ip, netmask, gateway, dns1, dns2, pwd, and server_name are passed from user input without proper sanitization or validation.
This improper handling allows remote attackers to inject and execute arbitrary operating system commands by crafting malicious requests that manipulate these parameters. For example, an attacker can send a specially crafted HTTP POST request to execute commands like starting a telnet daemon, thereby gaining shell access on the device.
The vulnerability corresponds to CWE-77 (Improper Neutralization of Special Elements used in a Command) and can be exploited remotely without authentication. A proof-of-concept exploit is publicly available, making exploitation relatively easy.
How can this vulnerability impact me? :
This vulnerability allows remote attackers to execute arbitrary commands on affected D-Link NAS devices, potentially leading to full compromise of the device.
- Attackers can gain unauthorized control over the device.
- Confidentiality, integrity, and availability of the device and its data can be compromised.
- Attackers may execute malicious commands such as starting unauthorized services (e.g., telnet daemon) to maintain persistent access.
- The device can be used as a foothold for further attacks within a network.
Because the exploit can be executed remotely without authentication and is easy to perform, the risk to affected users is significant.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for suspicious HTTP POST requests to the endpoint /cgi-bin/wizard_mgr.cgi on affected D-Link devices. Specifically, requests that include parameters such as ip, netmask, gateway, dns1, dns2, pwd, or server_name with unusual or command-like values may indicate exploitation attempts.'}, {'type': 'paragraph', 'content': 'A practical detection method is to capture and analyze network traffic for POST requests targeting /cgi-bin/wizard_mgr.cgi and inspect the payload for command injection patterns.'}, {'type': 'paragraph', 'content': 'Example command to capture such traffic using tcpdump:'}, {'type': 'list_item', 'content': "tcpdump -i <interface> -A 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep '/cgi-bin/wizard_mgr.cgi'"}, {'type': 'paragraph', 'content': "Alternatively, using curl to test if the device is vulnerable by sending a crafted POST request with a benign command injection payload (replace <device_ip> with the target device's IP):"}, {'type': 'list_item', 'content': "curl -X POST http://<device_ip>/cgi-bin/wizard_mgr.cgi -d 'ip=`id`&netmask=255.255.255.0&gateway=192.168.1.1&dns1=8.8.8.8&dns2=8.8.4.4&pwd=test&server_name=test'"}, {'type': 'paragraph', 'content': 'If the device responds with output indicating command execution (e.g., user id information), it confirms the vulnerability.'}] [2, 3]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'Immediate mitigation steps include restricting access to the vulnerable devices by isolating them from untrusted networks and disabling remote management interfaces if possible.'}, {'type': 'paragraph', 'content': 'Since no known patches or countermeasures are currently available, it is recommended to replace affected devices with alternative products that are not vulnerable.'}, {'type': 'paragraph', 'content': 'Additionally, monitor network traffic for exploitation attempts targeting /cgi-bin/wizard_mgr.cgi and block suspicious requests at the firewall or intrusion prevention system.'}, {'type': 'paragraph', 'content': "Avoid exposing the device's management interface to the internet and enforce strong network segmentation to limit attacker access."}] [1]