CVE-2026-8271
OS Command Injection in D-Link DNS-320
Publication date: 2026-05-11
Last updated on: 2026-05-11
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| d-link | dns-320 | 2.06b01 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-8271 is a set of multiple OS command injection vulnerabilities found in the D-Link DNS-320 ShareCenter NAS firmware version 2.06B01. These vulnerabilities exist in eight functions within the /cgi-bin/network_mgr.cgi file. These functions take HTTP parameters and pass them unsanitized to system calls, allowing an attacker to inject arbitrary OS commands remotely.
- The vulnerable functions are cgi_speed, cgi_dhcpd_lease, cgi_ddns, cgi_set_ip, cgi_upnp_del, cgi_dhcpd, cgi_upnp_add, and cgi_upnp_edit.
- Attackers can manipulate parameters such as f_speed, page, rp, f_ddns_username, f_ip, enable, and others to execute arbitrary commands on the device.
The vulnerability allows remote attackers to execute OS commands with user privileges, making it a serious security risk.
How can this vulnerability impact me? :
This vulnerability can allow remote attackers to execute arbitrary operating system commands on the affected device. This can lead to unauthorized control over the device, potentially allowing attackers to manipulate device settings, access sensitive data, disrupt network operations, or use the device as a foothold for further attacks within the network.
Because the exploit is publicly available, the risk of exploitation is higher, increasing the likelihood of compromise.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves OS command injection through HTTP parameters in the /cgi-bin/network_mgr.cgi component of the D-Link DNS-320 device. Detection can be attempted by monitoring or testing the vulnerable CGI endpoints with crafted HTTP requests that include shell metacharacters such as "; id" in the parameters.
For example, you can use curl commands to send requests to the vulnerable functions with suspicious parameters to check if command injection is possible or if unexpected command output is returned.
- curl "http://<device-ip>/cgi-bin/network_mgr.cgi?f_speed=1;id"
- curl "http://<device-ip>/cgi-bin/network_mgr.cgi?page=1;id"
- curl "http://<device-ip>/cgi-bin/network_mgr.cgi?f_ddns_username=admin;id"
- curl "http://<device-ip>/cgi-bin/network_mgr.cgi?f_ip=192.168.1.1;id"
If the response contains output from the injected commands (e.g., user id information), it indicates the presence of the vulnerability.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the vulnerable device's web interface to trusted networks only, such as by using firewall rules or network segmentation.
Avoid exposing the device's management interface to the internet or untrusted networks.
Monitor network traffic for suspicious requests targeting the /cgi-bin/network_mgr.cgi endpoint with unusual parameters.
If possible, disable or restrict the use of the vulnerable CGI functions until a firmware update or patch is available.
Check with the vendor for any available firmware updates or patches that address this vulnerability and apply them as soon as possible.