CVE-2026-4209
Awaiting Analysis Awaiting Analysis - Queue
Remote Command Injection in D-Link account_mgr.cgi Component

Publication date: 2026-03-16

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was identified in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20260205. Affected is the function cgi_create_import_users/cgi_user_batch_create/cgi_user_set_quota/cgi_user_del/cgi_user_modify/cgi_group_set_quota/cgi_group_modify/cgi_group_add/cgi_user_add/cgi_get_modify_group_info/cgi_chg_admin_pw of the file /cgi-bin/account_mgr.cgi. The manipulation leads to command injection. It is possible to initiate the attack remotely. The exploit is publicly available and might be used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-16
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-03-16
EPSS Evaluated
2026-06-15
NVD
CVE-2026-4209
EUVD
EUVD-2026-12285
Affected Vendors & Products
Showing 20 associated CPEs
Vendor Product Version / Range
dlink dnr-202l_firmware to 2026-02-05 (inc)
dlink dnr-326_firmware to 2026-02-05 (inc)
dlink dns-1100-4_firmware to 2026-02-05 (inc)
dlink dns-120_firmware to 2026-02-05 (inc)
dlink dns-1200-05_firmware to 2026-02-05 (inc)
dlink dns-1550-04_firmware to 2026-02-05 (inc)
dlink dns-315l_firmware to 2026-02-05 (inc)
dlink dns-320_firmware to 2026-02-05 (inc)
dlink dns-320l_firmware to 2026-02-05 (inc)
dlink dns-320lw_firmware to 2026-02-05 (inc)
dlink dns-321_firmware to 2026-02-05 (inc)
dlink dns-322l_firmware to 2026-02-05 (inc)
dlink dns-323_firmware to 2026-02-05 (inc)
dlink dns-325_firmware to 2026-02-05 (inc)
dlink dns-326_firmware to 2026-02-05 (inc)
dlink dns-327l_firmware to 2026-02-05 (inc)
dlink dns-340l_firmware to 2026-02-05 (inc)
dlink dns-343_firmware to 2026-02-05 (inc)
dlink dns-345_firmware to 2026-02-05 (inc)
dlink dns-726-4_firmware to 2026-02-05 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-4209 is a command injection vulnerability found in multiple D-Link NAS device models, including DNS-120, 202L, 315L, 320 series, 321, 322L, 323, 325, 326, 327L, 340L, 343, 345, 726-4, 1100-4, 1200-05, and 1550-04, with firmware versions up to 20260205.'}, {'type': 'paragraph', 'content': 'The vulnerability exists in several CGI functions of the /cgi-bin/account_mgr.cgi file, such as cgi_create_import_users, cgi_user_batch_create, cgi_user_set_quota, cgi_user_del, cgi_user_modify, cgi_group_set_quota, cgi_group_modify, cgi_group_add, cgi_user_add, cgi_get_modify_group_info, and cgi_chg_admin_pw.'}, {'type': 'paragraph', 'content': "In these functions, parameters like 'overwrite', 'app', 'group', 'name', 'pw', and 'member' are directly passed from user input without proper sanitization or validation. This allows remote attackers to craft malicious HTTP requests that inject and execute arbitrary operating system commands on the affected devices."}, {'type': 'paragraph', 'content': 'The exploit is remotely executable and publicly available, enabling attackers to gain unauthorized remote command execution on the vulnerable D-Link NAS devices.'}] [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11]

Impact Analysis

This vulnerability allows remote attackers to execute arbitrary operating system commands on affected D-Link NAS devices without authorization.

Successful exploitation can lead to unauthorized remote code execution, which may allow attackers to take full control of the device, manipulate or delete data, disrupt services, or use the device as a foothold for further attacks within a network.

For example, an attacker can launch a telnet daemon with shell access on the device, effectively gaining remote shell access and control.

This poses significant security risks including data breaches, service interruptions, and potential compromise of connected systems.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for suspicious HTTP POST requests targeting the vulnerable CGI endpoint /cgi-bin/account_mgr.cgi on affected D-Link NAS devices. Specifically, crafted requests that invoke functions such as cgi_create_import_users, cgi_user_batch_create, cgi_user_add, cgi_user_modify, cgi_user_del, cgi_group_add, cgi_group_modify, cgi_group_set_quota, cgi_user_set_quota, and cgi_get_modify_group_info with parameters that may contain command injection payloads.'}, {'type': 'paragraph', 'content': "A practical detection method is to look for HTTP requests containing unusual or suspicious parameters such as 'app', 'overwrite', 'name', 'group', 'member', 'pw', or 'overwrite_app' with shell command syntax or backticks, which are indicators of command injection attempts."}, {'type': 'paragraph', 'content': 'Example commands to detect exploitation attempts via network traffic inspection or logs include:'}, {'type': 'list_item', 'content': 'Using tcpdump or Wireshark to filter HTTP POST requests to /cgi-bin/account_mgr.cgi:'}, {'type': 'list_item', 'content': "tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep '/cgi-bin/account_mgr.cgi'"}, {'type': 'list_item', 'content': 'Searching web server logs for suspicious parameters or payloads containing backticks or shell commands, for example using grep:'}, {'type': 'list_item', 'content': "grep -iE 'app=|overwrite=|name=|group=|member=|pw=' /var/log/httpd/access_log | grep -E '`|\\$\\(|;|&&'"}, {'type': 'paragraph', 'content': 'Additionally, monitoring for unexpected open ports or services (such as telnet on unusual ports) may indicate successful exploitation, as demonstrated by the proof-of-concept that launches a telnet daemon on port 8937.'}] [1, 9]

Mitigation Strategies

Immediate mitigation steps include:

  • Restrict network access to the affected D-Link NAS devices, especially blocking external access to the /cgi-bin/account_mgr.cgi endpoint to prevent remote exploitation.
  • Disable or restrict the vulnerable CGI functions if possible, or disable remote management features until a patch is applied.
  • Apply the latest firmware updates from D-Link that address this command injection vulnerability as soon as they become available.
  • Monitor device logs and network traffic for signs of exploitation attempts or successful attacks.
  • If exploitation is suspected, isolate the affected device from the network and perform a thorough security assessment.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4209. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart