CVE-2026-8271
Analyzed Analyzed - Analysis Complete
OS Command Injection in D-Link DNS-320

Publication date: 2026-05-11

Last updated on: 2026-05-11

Assigner: VulDB

Description
A vulnerability was identified in D-Link DNS-320 2.06B01. The impacted element is the function cgi_speed/cgi_dhcpd_lease/cgi_ddns/cgi_set_ip/cgi_upnp_del/cgi_dhcpd/cgi_upnp_add/cgi_upnp_edit of the file /cgi-bin/network_mgr.cgi. The manipulation leads to os command injection. The attack is possible to be carried out remotely. The exploit is publicly available and might be used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-11
Last Modified
2026-05-11
Generated
2026-06-20
AI Q&A
2026-05-11
EPSS Evaluated
2026-06-19
NVD
CVE-2026-8271
EUVD
EUVD-2026-29029
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
dlink dns-320_firmware 2.06b01
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-8271 is a set of multiple OS command injection vulnerabilities found in the D-Link DNS-320 ShareCenter NAS firmware version 2.06B01. These vulnerabilities exist in eight functions within the /cgi-bin/network_mgr.cgi file. These functions take HTTP parameters and pass them unsanitized to system calls, allowing an attacker to inject arbitrary OS commands remotely.

  • The vulnerable functions are cgi_speed, cgi_dhcpd_lease, cgi_ddns, cgi_set_ip, cgi_upnp_del, cgi_dhcpd, cgi_upnp_add, and cgi_upnp_edit.
  • Attackers can manipulate parameters such as f_speed, page, rp, f_ddns_username, f_ip, enable, and others to execute arbitrary commands on the device.

The vulnerability allows remote attackers to execute OS commands with user privileges, making it a serious security risk.

Impact Analysis

This vulnerability can allow remote attackers to execute arbitrary operating system commands on the affected device. This can lead to unauthorized control over the device, potentially allowing attackers to manipulate device settings, access sensitive data, disrupt network operations, or use the device as a foothold for further attacks within the network.

Because the exploit is publicly available, the risk of exploitation is higher, increasing the likelihood of compromise.

Detection Guidance

This vulnerability involves OS command injection through HTTP parameters in the /cgi-bin/network_mgr.cgi component of the D-Link DNS-320 device. Detection can be attempted by monitoring or testing the vulnerable CGI endpoints with crafted HTTP requests that include shell metacharacters such as "; id" in the parameters.

For example, you can use curl commands to send requests to the vulnerable functions with suspicious parameters to check if command injection is possible or if unexpected command output is returned.

  • curl "http://<device-ip>/cgi-bin/network_mgr.cgi?f_speed=1;id"
  • curl "http://<device-ip>/cgi-bin/network_mgr.cgi?page=1;id"
  • curl "http://<device-ip>/cgi-bin/network_mgr.cgi?f_ddns_username=admin;id"
  • curl "http://<device-ip>/cgi-bin/network_mgr.cgi?f_ip=192.168.1.1;id"

If the response contains output from the injected commands (e.g., user id information), it indicates the presence of the vulnerability.

Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable device's web interface to trusted networks only, such as by using firewall rules or network segmentation.

Avoid exposing the device's management interface to the internet or untrusted networks.

Monitor network traffic for suspicious requests targeting the /cgi-bin/network_mgr.cgi endpoint with unusual parameters.

If possible, disable or restrict the use of the vulnerable CGI functions until a firmware update or patch is available.

Check with the vendor for any available firmware updates or patches that address this vulnerability and apply them as soon as possible.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-8271. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart