CVE-2026-4204
Command Injection in D-Link CGI Functions Enables Remote Exploitation
Publication date: 2026-03-16
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dlink | dnr-202l_firmware | to 2026-02-05 (inc) |
| dlink | dnr-326_firmware | to 2026-02-05 (inc) |
| dlink | dns-1100-4_firmware | to 2026-02-05 (inc) |
| dlink | dns-120_firmware | to 2026-02-05 (inc) |
| dlink | dns-1200-05_firmware | to 2026-02-05 (inc) |
| dlink | dns-1550-04_firmware | to 2026-02-05 (inc) |
| dlink | dns-315l_firmware | to 2026-02-05 (inc) |
| dlink | dns-320_firmware | to 2026-02-05 (inc) |
| dlink | dns-320l_firmware | to 2026-02-05 (inc) |
| dlink | dns-320lw_firmware | to 2026-02-05 (inc) |
| dlink | dns-321_firmware | to 2026-02-05 (inc) |
| dlink | dns-322l_firmware | to 2026-02-05 (inc) |
| dlink | dns-323_firmware | to 2026-02-05 (inc) |
| dlink | dns-325_firmware | to 2026-02-05 (inc) |
| dlink | dns-326_firmware | to 2026-02-05 (inc) |
| dlink | dns-327l_firmware | to 2026-02-05 (inc) |
| dlink | dns-340l_firmware | to 2026-02-05 (inc) |
| dlink | dns-343_firmware | to 2026-02-05 (inc) |
| dlink | dns-345_firmware | to 2026-02-05 (inc) |
| dlink | dns-726-4_firmware | to 2026-02-05 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-4204 is a command injection vulnerability affecting multiple D-Link NAS devices. It exists in the CGI script `/cgi-bin/gui_mgr.cgi`, specifically in several functions such as `cgi_myfavorite_add`, `cgi_myfavorite_set`, `cgi_myfavorite_del`, and others. The vulnerability arises because the `f_user` parameter is not properly sanitized or validated, allowing an attacker to inject arbitrary operating system commands.
An attacker can exploit this flaw remotely by sending crafted requests that manipulate the `f_user` argument, leading to execution of arbitrary commands on the affected device. For example, an attacker could start a telnet daemon with shell access by injecting commands through this parameter.
How can this vulnerability impact me? :
This vulnerability allows remote attackers to execute arbitrary commands on affected D-Link NAS devices, which can compromise the confidentiality, integrity, and availability of the device and its data.
- Remote code execution leading to unauthorized control over the device.
- Potential installation of backdoors such as a telnet daemon providing shell access.
- Disruption or manipulation of device functions and stored data.
- Exposure to further attacks due to compromised device security.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for suspicious POST requests to the CGI script `/cgi-bin/gui_mgr.cgi` on affected D-Link NAS devices. Specifically, requests that invoke functions such as `cgi_myfavorite_add`, `cgi_myfavorite_set`, `cgi_myfavorite_del`, `cgi_myfavorite_set_sort_info`, `cgi_myfavorite_remove_apkg`, `cgi_myfavorite_compare_apkg`, or `cgi_mycloud_auto_downlaod` with the `f_user` parameter containing unusual or command-like input may indicate exploitation attempts.'}, {'type': 'paragraph', 'content': 'A practical detection method is to capture and analyze HTTP POST traffic targeting `/cgi-bin/gui_mgr.cgi` and inspect the `cmd` and `f_user` parameters for suspicious command injection patterns.'}, {'type': 'paragraph', 'content': 'Example command to detect such attempts using network traffic capture tools like tcpdump or tshark:'}, {'type': 'list_item', 'content': "tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep '/cgi-bin/gui_mgr.cgi'"}, {'type': 'paragraph', 'content': 'Alternatively, using curl or similar tools to test the vulnerability by sending crafted POST requests to the device can help confirm if the device is vulnerable.'}, {'type': 'list_item', 'content': "curl -X POST http://<device-ip>/cgi-bin/gui_mgr.cgi -d 'cmd=cgi_myfavorite_add&f_user=`id`'"}, {'type': 'paragraph', 'content': 'If the response or device behavior indicates command execution, the vulnerability is present.'}] [3]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': "Immediate mitigation steps include restricting access to the affected devices' management interfaces to trusted networks only, such as internal networks or VPNs, to reduce exposure to remote attackers."}, {'type': 'paragraph', 'content': 'Since no official patches or countermeasures have been published, it is recommended to replace or upgrade affected devices to versions not vulnerable or to alternative hardware.'}, {'type': 'paragraph', 'content': 'Additionally, monitoring network traffic for exploitation attempts and disabling or restricting access to the vulnerable CGI functions, if possible, can help reduce risk.'}, {'type': 'paragraph', 'content': 'Implementing network-level protections such as firewalls or intrusion prevention systems to block suspicious requests targeting `/cgi-bin/gui_mgr.cgi` can also help mitigate exploitation.'}] [1]