CVE-2026-4210
Awaiting Analysis Awaiting Analysis - Queue
Remote Command Injection in D-Link Time Machine CGI Function

Publication date: 2026-03-16

Last updated on: 2026-04-29

Assigner: VulDB

Description
A security flaw has been discovered in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20260205. Affected by this vulnerability is the function cgi_tm_set_share of the file /cgi-bin/time_machine.cgi. The manipulation of the argument Name results in command injection. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-16
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-03-16
EPSS Evaluated
2026-06-15
NVD
CVE-2026-4210
EUVD
EUVD-2026-12283
Affected Vendors & Products
Showing 20 associated CPEs
Vendor Product Version / Range
dlink dnr-202l_firmware to 2026-02-05 (inc)
dlink dnr-326_firmware to 2026-02-05 (inc)
dlink dns-1100-4_firmware to 2026-02-05 (inc)
dlink dns-120_firmware to 2026-02-05 (inc)
dlink dns-1200-05_firmware to 2026-02-05 (inc)
dlink dns-1550-04_firmware to 2026-02-05 (inc)
dlink dns-315l_firmware to 2026-02-05 (inc)
dlink dns-320_firmware to 2026-02-05 (inc)
dlink dns-320l_firmware to 2026-02-05 (inc)
dlink dns-320lw_firmware to 2026-02-05 (inc)
dlink dns-321_firmware to 2026-02-05 (inc)
dlink dns-322l_firmware to 2026-02-05 (inc)
dlink dns-323_firmware to 2026-02-05 (inc)
dlink dns-325_firmware to 2026-02-05 (inc)
dlink dns-326_firmware to 2026-02-05 (inc)
dlink dns-327l_firmware to 2026-02-05 (inc)
dlink dns-340l_firmware to 2026-02-05 (inc)
dlink dns-343_firmware to 2026-02-05 (inc)
dlink dns-345_firmware to 2026-02-05 (inc)
dlink dns-726-4_firmware to 2026-02-05 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-4210 is a command injection vulnerability affecting multiple D-Link network storage devices. It exists in the function cgi_tm_set_share within the /cgi-bin/time_machine.cgi script. The vulnerability arises because the 'Name' parameter is not properly sanitized, allowing an attacker to inject arbitrary operating system commands."}, {'type': 'paragraph', 'content': "An attacker can exploit this vulnerability remotely by sending specially crafted requests that manipulate the 'Name' argument, leading to execution of arbitrary commands on the device."}, {'type': 'paragraph', 'content': 'This flaw is classified under CWE-77 (Improper Neutralization of Special Elements used in a Command) and is considered critical due to the ease of exploitation and potential impact.'}] [1, 2, 3]

Impact Analysis

Exploitation of this vulnerability allows remote attackers to execute arbitrary commands on affected D-Link NAS devices without authentication.

This can lead to full compromise of the device, including unauthorized remote shell access, which can be used to control the device, access sensitive data, disrupt services, or use the device as a foothold for further attacks.

  • Confidentiality impact: Attackers may access sensitive information stored on the device.
  • Integrity impact: Attackers can modify or delete data.
  • Availability impact: Attackers can disrupt device operation or services.
Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability can be detected by checking for the presence of the vulnerable D-Link NAS devices running firmware up to version 20260205 and by testing the /cgi-bin/time_machine.cgi endpoint for command injection via the 'name' parameter."}, {'type': 'paragraph', 'content': 'A practical detection method involves sending a crafted POST request to the URL /cgi-bin/time_machine.cgi with the Content-Type set to application/x-www-form-urlencoded and including the POST data: cmd=cgi_tm_set_share&name=;id;&path=&share=. If the device executes the command and returns output, it indicates vulnerability.'}, {'type': 'paragraph', 'content': 'Example command using curl to test the vulnerability:'}, {'type': 'list_item', 'content': 'curl -X POST http://<device-ip>/cgi-bin/time_machine.cgi -H "Content-Type: application/x-www-form-urlencoded" -d "cmd=cgi_tm_set_share&name=;id;&path=&share="'}, {'type': 'paragraph', 'content': "If the response contains output from the 'id' command (such as user and group information), the device is vulnerable to command injection."}] [2]

Mitigation Strategies

There are no known published mitigations or countermeasures for this vulnerability.

The recommended immediate step is to replace affected devices with alternative products that are not vulnerable.

Additionally, restricting network access to the vulnerable devices, especially blocking access to the /cgi-bin/time_machine.cgi endpoint from untrusted networks, may reduce exposure.

Monitoring network traffic for suspicious POST requests targeting /cgi-bin/time_machine.cgi with unusual parameters can help detect exploitation attempts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4210. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart