CVE-2026-4205
Remote Command Injection in D-Link CGI app_mgr.cgi Functions
Publication date: 2026-03-16
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dlink | dnr-202l_firmware | to 2026-02-05 (inc) |
| dlink | dnr-326_firmware | to 2026-02-05 (inc) |
| dlink | dns-1100-4_firmware | to 2026-02-05 (inc) |
| dlink | dns-120_firmware | to 2026-02-05 (inc) |
| dlink | dns-1200-05_firmware | to 2026-02-05 (inc) |
| dlink | dns-1550-04_firmware | to 2026-02-05 (inc) |
| dlink | dns-315l_firmware | to 2026-02-05 (inc) |
| dlink | dns-320_firmware | to 2026-02-05 (inc) |
| dlink | dns-320l_firmware | to 2026-02-05 (inc) |
| dlink | dns-320lw_firmware | to 2026-02-05 (inc) |
| dlink | dns-321_firmware | to 2026-02-05 (inc) |
| dlink | dns-322l_firmware | to 2026-02-05 (inc) |
| dlink | dns-323_firmware | to 2026-02-05 (inc) |
| dlink | dns-325_firmware | to 2026-02-05 (inc) |
| dlink | dns-326_firmware | to 2026-02-05 (inc) |
| dlink | dns-327l_firmware | to 2026-02-05 (inc) |
| dlink | dns-340l_firmware | to 2026-02-05 (inc) |
| dlink | dns-343_firmware | to 2026-02-05 (inc) |
| dlink | dns-345_firmware | to 2026-02-05 (inc) |
| dlink | dns-726-4_firmware | to 2026-02-05 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-4205 is a critical command injection vulnerability affecting multiple D-Link NAS device models. It exists in the CGI script located at /cgi-bin/app_mgr.cgi, specifically within the functions cgi_refresh_db, FTP_Server_BlockIP_Add, and FTP_Server_BlockIP_Del. These functions improperly handle user-supplied input parameters without proper sanitization, allowing attackers to inject and execute arbitrary operating system commands remotely without authentication.
Attackers can exploit this vulnerability by sending crafted POST requests to the vulnerable endpoint with malicious parameters, which can open remote shells on the device, granting full control over it. The vulnerability is publicly disclosed with proof-of-concept exploits available, making exploitation straightforward.
How can this vulnerability impact me? :
This vulnerability allows remote attackers to execute arbitrary commands on affected D-Link NAS devices without authentication. This can lead to complete compromise of the device, including unauthorized access, control over device functions, and potential disruption of services.
- Attackers can open remote shells on the device, enabling persistent access.
- Confidentiality, integrity, and availability of the device and its data can be severely impacted.
- Malicious actors could use the compromised device as a foothold for further network attacks.
- There are no known mitigations or patches, so affected devices should be replaced.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for suspicious POST requests to the /cgi-bin/app_mgr.cgi endpoint on affected D-Link devices. Specifically, crafted POST requests that include parameters such as f_dir, f_function, f_ip, or cmd with unusual or command-like values may indicate exploitation attempts.'}, {'type': 'paragraph', 'content': 'For detection, you can use network monitoring tools or intrusion detection systems to look for POST requests with parameters like:'}, {'type': 'list_item', 'content': 'POST /cgi-bin/app_mgr.cgi with f_dir parameter containing commands (e.g., utelnetd -p 8920 -l /bin/sh)'}, {'type': 'list_item', 'content': 'POST /cgi-bin/app_mgr.cgi with cmd=FTP_Server_BlockIP_Add and f_ip parameter containing commands (e.g., utelnetd -p 8921 -l /bin/sh)'}, {'type': 'paragraph', 'content': 'Example commands to detect exploitation attempts using curl or similar tools could be:'}, {'type': 'list_item', 'content': 'curl -v -X POST http://[device_ip]/cgi-bin/app_mgr.cgi -d "f_dir=utelnetd -p 8920 -l /bin/sh"'}, {'type': 'list_item', 'content': 'curl -v -X POST http://[device_ip]/cgi-bin/app_mgr.cgi -d "cmd=FTP_Server_BlockIP_Add&f_ip=utelnetd -p 8921 -l /bin/sh&f_release_day=&f_permanent=1"'}, {'type': 'paragraph', 'content': 'Monitoring logs for unexpected shell openings on ports 8920 or 8921 may also help detect exploitation.'}] [2, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include:
- Replace or upgrade affected D-Link devices to versions not vulnerable or switch to alternative products, as no known patches or mitigations have been published.
- Restrict network access to the affected devices, especially blocking remote access to the /cgi-bin/app_mgr.cgi endpoint.
- Implement network-level filtering or intrusion detection to block or alert on suspicious POST requests targeting the vulnerable CGI functions.
- Disable remote management features if not required.
Since the vulnerability allows remote command execution without authentication, it is critical to isolate affected devices from untrusted networks until a secure solution is implemented.