CVE-2026-4196
Remote Command Injection in D-Link Remote Backup CGI
Publication date: 2026-03-16
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dlink | dns-1550-04_firmware | to 2026-02-05 (inc) |
| dlink | dns-315l_firmware | to 2026-02-05 (inc) |
| dlink | dns-320_firmware | to 2026-02-05 (inc) |
| dlink | dns-320l_firmware | to 2026-02-05 (inc) |
| dlink | dns-320lw_firmware | to 2026-02-05 (inc) |
| dlink | dns-321_firmware | to 2026-02-05 (inc) |
| dlink | dns-322l_firmware | to 2026-02-05 (inc) |
| dlink | dns-323_firmware | to 2026-02-05 (inc) |
| dlink | dns-325_firmware | to 2026-02-05 (inc) |
| dlink | dns-326_firmware | to 2026-02-05 (inc) |
| dlink | dns-327l_firmware | to 2026-02-05 (inc) |
| dlink | dns-340l_firmware | to 2026-02-05 (inc) |
| dlink | dns-343_firmware | to 2026-02-05 (inc) |
| dlink | dns-345_firmware | to 2026-02-05 (inc) |
| dlink | dns-726-4_firmware | to 2026-02-05 (inc) |
| dlink | dnr-202l_firmware | to 2026-02-05 (inc) |
| dlink | dnr-326_firmware | to 2026-02-05 (inc) |
| dlink | dns-1100-4_firmware | to 2026-02-05 (inc) |
| dlink | dns-120_firmware | to 2026-02-05 (inc) |
| dlink | dns-1200-05_firmware | to 2026-02-05 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-4196 is a command injection vulnerability affecting multiple D-Link NAS device models. It exists in the /cgi-bin/remote_backup.cgi file, specifically within functions such as cgi_recovery, cgi_backup_now, cgi_set_schedule, and cgi_set_rsync_server. These functions improperly handle user-supplied input parameters like 'name', 'num', 'task', and 'f_password' without proper sanitization or validation."}, {'type': 'paragraph', 'content': 'This flaw allows remote attackers to craft malicious requests that inject and execute arbitrary operating system commands on the affected devices. For example, attackers can send specially crafted HTTP POST requests to the vulnerable CGI script, causing the device to execute commands such as starting a telnet daemon with shell access.'}, {'type': 'paragraph', 'content': 'The vulnerability can be exploited remotely without local access, making it a significant security risk.'}] [1, 2, 3, 4, 5, 6, 7]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'This vulnerability allows attackers to execute arbitrary commands remotely on affected D-Link NAS devices, leading to unauthorized remote code execution.'}, {'type': 'paragraph', 'content': "The impact includes compromise of the device's confidentiality, integrity, and availability. Attackers can gain remote shell access, potentially control the device, disrupt its normal operation, steal sensitive data, or use the device as a foothold for further attacks within a network."}, {'type': 'paragraph', 'content': 'Since the exploit is publicly available and easy to execute, the risk of exploitation is high.'}] [1, 2, 3, 4, 5, 6, 7]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for suspicious HTTP POST requests targeting the /cgi-bin/remote_backup.cgi endpoint on affected D-Link NAS devices. Specifically, look for requests with content-type application/x-www-form-urlencoded containing parameters such as cmd=cgi_recovery, cmd=cgi_backup_now, cmd=cgi_set_schedule, or cmd=cgi_set_rsync_server with unusual or suspicious values in parameters like name, num, f_password, or task.'}, {'type': 'paragraph', 'content': 'A practical detection method is to capture and analyze network traffic for these malicious payloads. For example, using tools like curl or wget to test the endpoint with crafted payloads can help confirm vulnerability presence.'}, {'type': 'paragraph', 'content': 'Example command to test for command injection via the cgi_recovery function (using curl):'}, {'type': 'list_item', 'content': 'curl -X POST http://<device-ip>/cgi-bin/remote_backup.cgi -H "Content-Type: application/x-www-form-urlencoded" -d "cmd=cgi_recovery&name=\';id;\'&num=1"'}, {'type': 'paragraph', 'content': "If the device executes the injected command (e.g., returns output of 'id'), it indicates the vulnerability."}, {'type': 'paragraph', 'content': 'Similarly, testing the cgi_backup_now function:'}, {'type': 'list_item', 'content': 'curl -X POST http://<device-ip>/cgi-bin/remote_backup.cgi -H "Content-Type: application/x-www-form-urlencoded" -d "cmd=cgi_backup_now&name=\';id;\'"'}, {'type': 'paragraph', 'content': 'Monitoring for unexpected open ports (e.g., telnet on ports 8889 or 8890) may also indicate exploitation attempts, as proof-of-concept exploits start telnet daemons on these ports.'}] [1, 3, 4, 7]
What immediate steps should I take to mitigate this vulnerability?
Currently, there are no known countermeasures or official patches available for this vulnerability.
Immediate mitigation steps include:
- Isolate affected devices from untrusted networks to prevent remote exploitation.
- Disable remote access to the /cgi-bin/remote_backup.cgi endpoint if possible.
- Monitor network traffic for suspicious requests targeting the vulnerable functions.
- Replace affected devices with alternative products that are not vulnerable.
Because the vulnerability allows remote command execution without authentication, affected devices should be considered high risk until replaced or patched.