CVE-2026-4210
Remote Command Injection in D-Link Time Machine CGI Function
Publication date: 2026-03-16
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dlink | dnr-202l_firmware | to 2026-02-05 (inc) |
| dlink | dnr-326_firmware | to 2026-02-05 (inc) |
| dlink | dns-1100-4_firmware | to 2026-02-05 (inc) |
| dlink | dns-120_firmware | to 2026-02-05 (inc) |
| dlink | dns-1200-05_firmware | to 2026-02-05 (inc) |
| dlink | dns-1550-04_firmware | to 2026-02-05 (inc) |
| dlink | dns-315l_firmware | to 2026-02-05 (inc) |
| dlink | dns-320_firmware | to 2026-02-05 (inc) |
| dlink | dns-320l_firmware | to 2026-02-05 (inc) |
| dlink | dns-320lw_firmware | to 2026-02-05 (inc) |
| dlink | dns-321_firmware | to 2026-02-05 (inc) |
| dlink | dns-322l_firmware | to 2026-02-05 (inc) |
| dlink | dns-323_firmware | to 2026-02-05 (inc) |
| dlink | dns-325_firmware | to 2026-02-05 (inc) |
| dlink | dns-326_firmware | to 2026-02-05 (inc) |
| dlink | dns-327l_firmware | to 2026-02-05 (inc) |
| dlink | dns-340l_firmware | to 2026-02-05 (inc) |
| dlink | dns-343_firmware | to 2026-02-05 (inc) |
| dlink | dns-345_firmware | to 2026-02-05 (inc) |
| dlink | dns-726-4_firmware | to 2026-02-05 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-4210 is a command injection vulnerability affecting multiple D-Link network storage devices. It exists in the function cgi_tm_set_share within the /cgi-bin/time_machine.cgi script. The vulnerability arises because the 'Name' parameter is not properly sanitized, allowing an attacker to inject arbitrary operating system commands."}, {'type': 'paragraph', 'content': "An attacker can exploit this vulnerability remotely by sending specially crafted requests that manipulate the 'Name' argument, leading to execution of arbitrary commands on the device."}, {'type': 'paragraph', 'content': 'This flaw is classified under CWE-77 (Improper Neutralization of Special Elements used in a Command) and is considered critical due to the ease of exploitation and potential impact.'}] [1, 2, 3]
How can this vulnerability impact me? :
Exploitation of this vulnerability allows remote attackers to execute arbitrary commands on affected D-Link NAS devices without authentication.
This can lead to full compromise of the device, including unauthorized remote shell access, which can be used to control the device, access sensitive data, disrupt services, or use the device as a foothold for further attacks.
- Confidentiality impact: Attackers may access sensitive information stored on the device.
- Integrity impact: Attackers can modify or delete data.
- Availability impact: Attackers can disrupt device operation or services.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability can be detected by checking for the presence of the vulnerable D-Link NAS devices running firmware up to version 20260205 and by testing the /cgi-bin/time_machine.cgi endpoint for command injection via the 'name' parameter."}, {'type': 'paragraph', 'content': 'A practical detection method involves sending a crafted POST request to the URL /cgi-bin/time_machine.cgi with the Content-Type set to application/x-www-form-urlencoded and including the POST data: cmd=cgi_tm_set_share&name=;id;&path=&share=. If the device executes the command and returns output, it indicates vulnerability.'}, {'type': 'paragraph', 'content': 'Example command using curl to test the vulnerability:'}, {'type': 'list_item', 'content': 'curl -X POST http://<device-ip>/cgi-bin/time_machine.cgi -H "Content-Type: application/x-www-form-urlencoded" -d "cmd=cgi_tm_set_share&name=;id;&path=&share="'}, {'type': 'paragraph', 'content': "If the response contains output from the 'id' command (such as user and group information), the device is vulnerable to command injection."}] [2]
What immediate steps should I take to mitigate this vulnerability?
There are no known published mitigations or countermeasures for this vulnerability.
The recommended immediate step is to replace affected devices with alternative products that are not vulnerable.
Additionally, restricting network access to the vulnerable devices, especially blocking access to the /cgi-bin/time_machine.cgi endpoint from untrusted networks, may reduce exposure.
Monitoring network traffic for suspicious POST requests targeting /cgi-bin/time_machine.cgi with unusual parameters can help detect exploitation attempts.