CVE-2026-4196
Awaiting Analysis Awaiting Analysis - Queue
Remote Command Injection in D-Link Remote Backup CGI

Publication date: 2026-03-16

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability has been found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20260205. This impacts the function cgi_recovery/cgi_backup_now/cgi_set_schedule/cgi_set_rsync_server of the file /cgi-bin/remote_backup.cgi. The manipulation leads to command injection. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-16
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-03-16
EPSS Evaluated
2026-06-14
NVD
CVE-2026-4196
EUVD
EUVD-2026-12264
Affected Vendors & Products
Showing 20 associated CPEs
Vendor Product Version / Range
dlink dns-1550-04_firmware to 2026-02-05 (inc)
dlink dns-315l_firmware to 2026-02-05 (inc)
dlink dns-320_firmware to 2026-02-05 (inc)
dlink dns-320l_firmware to 2026-02-05 (inc)
dlink dns-320lw_firmware to 2026-02-05 (inc)
dlink dns-321_firmware to 2026-02-05 (inc)
dlink dns-322l_firmware to 2026-02-05 (inc)
dlink dns-323_firmware to 2026-02-05 (inc)
dlink dns-325_firmware to 2026-02-05 (inc)
dlink dns-326_firmware to 2026-02-05 (inc)
dlink dns-327l_firmware to 2026-02-05 (inc)
dlink dns-340l_firmware to 2026-02-05 (inc)
dlink dns-343_firmware to 2026-02-05 (inc)
dlink dns-345_firmware to 2026-02-05 (inc)
dlink dns-726-4_firmware to 2026-02-05 (inc)
dlink dnr-202l_firmware to 2026-02-05 (inc)
dlink dnr-326_firmware to 2026-02-05 (inc)
dlink dns-1100-4_firmware to 2026-02-05 (inc)
dlink dns-120_firmware to 2026-02-05 (inc)
dlink dns-1200-05_firmware to 2026-02-05 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-4196 is a command injection vulnerability affecting multiple D-Link NAS device models. It exists in the /cgi-bin/remote_backup.cgi file, specifically within functions such as cgi_recovery, cgi_backup_now, cgi_set_schedule, and cgi_set_rsync_server. These functions improperly handle user-supplied input parameters like 'name', 'num', 'task', and 'f_password' without proper sanitization or validation."}, {'type': 'paragraph', 'content': 'This flaw allows remote attackers to craft malicious requests that inject and execute arbitrary operating system commands on the affected devices. For example, attackers can send specially crafted HTTP POST requests to the vulnerable CGI script, causing the device to execute commands such as starting a telnet daemon with shell access.'}, {'type': 'paragraph', 'content': 'The vulnerability can be exploited remotely without local access, making it a significant security risk.'}] [1, 2, 3, 4, 5, 6, 7]

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability allows attackers to execute arbitrary commands remotely on affected D-Link NAS devices, leading to unauthorized remote code execution.'}, {'type': 'paragraph', 'content': "The impact includes compromise of the device's confidentiality, integrity, and availability. Attackers can gain remote shell access, potentially control the device, disrupt its normal operation, steal sensitive data, or use the device as a foothold for further attacks within a network."}, {'type': 'paragraph', 'content': 'Since the exploit is publicly available and easy to execute, the risk of exploitation is high.'}] [1, 2, 3, 4, 5, 6, 7]

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for suspicious HTTP POST requests targeting the /cgi-bin/remote_backup.cgi endpoint on affected D-Link NAS devices. Specifically, look for requests with content-type application/x-www-form-urlencoded containing parameters such as cmd=cgi_recovery, cmd=cgi_backup_now, cmd=cgi_set_schedule, or cmd=cgi_set_rsync_server with unusual or suspicious values in parameters like name, num, f_password, or task.'}, {'type': 'paragraph', 'content': 'A practical detection method is to capture and analyze network traffic for these malicious payloads. For example, using tools like curl or wget to test the endpoint with crafted payloads can help confirm vulnerability presence.'}, {'type': 'paragraph', 'content': 'Example command to test for command injection via the cgi_recovery function (using curl):'}, {'type': 'list_item', 'content': 'curl -X POST http://<device-ip>/cgi-bin/remote_backup.cgi -H "Content-Type: application/x-www-form-urlencoded" -d "cmd=cgi_recovery&name=\';id;\'&num=1"'}, {'type': 'paragraph', 'content': "If the device executes the injected command (e.g., returns output of 'id'), it indicates the vulnerability."}, {'type': 'paragraph', 'content': 'Similarly, testing the cgi_backup_now function:'}, {'type': 'list_item', 'content': 'curl -X POST http://<device-ip>/cgi-bin/remote_backup.cgi -H "Content-Type: application/x-www-form-urlencoded" -d "cmd=cgi_backup_now&name=\';id;\'"'}, {'type': 'paragraph', 'content': 'Monitoring for unexpected open ports (e.g., telnet on ports 8889 or 8890) may also indicate exploitation attempts, as proof-of-concept exploits start telnet daemons on these ports.'}] [1, 3, 4, 7]

Mitigation Strategies

Currently, there are no known countermeasures or official patches available for this vulnerability.

Immediate mitigation steps include:

  • Isolate affected devices from untrusted networks to prevent remote exploitation.
  • Disable remote access to the /cgi-bin/remote_backup.cgi endpoint if possible.
  • Monitor network traffic for suspicious requests targeting the vulnerable functions.
  • Replace affected devices with alternative products that are not vulnerable.

Because the vulnerability allows remote command execution without authentication, affected devices should be considered high risk until replaced or patched.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4196. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart