CVE-2026-8272
Command Injection in D-Link DNS-320 Firmware
Publication date: 2026-05-11
Last updated on: 2026-05-11
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| d-link | dns-320 | 2.06b01 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-8272 is a security vulnerability in the D-Link DNS-320 ShareCenter NAS firmware version 2.06B01, specifically in the /cgi-bin/webfile_mgr.cgi component. It affects multiple file operation functions such as delete, rename, copy, move, chmod, and chown.
The vulnerability arises because these functions improperly handle user input by embedding it directly into shell commands without proper sanitization. This allows an attacker to inject arbitrary OS commands by sending specially crafted requests to the device.
For example, an attacker can send a POST request with parameters that cause the device to execute unintended commands, potentially gaining unauthorized control over the system.
How can this vulnerability impact me? :
This vulnerability can have serious impacts as it allows remote attackers to execute arbitrary operating system commands on the affected device.
Exploitation can lead to unauthorized system access, manipulation or deletion of files, and potentially full control over the device.
Such control can be used to disrupt services, steal sensitive information, or use the device as a foothold for further attacks within a network.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for suspicious POST requests to the endpoint /cgi-bin/webfile_mgr.cgi, especially those containing parameters like cmd=cgi_del and crafted path values that include shell commands.
A practical detection method is to look for POST requests with parameters such as cmd=cgi_del&path=;id&type=file, which indicate attempts to inject OS commands.
Network monitoring tools or intrusion detection systems (IDS) can be configured to alert on such patterns.
- Use curl or similar tools to test the endpoint with crafted payloads, for example:
- curl -X POST http://<target-ip>/cgi-bin/webfile_mgr.cgi -d 'cmd=cgi_del&path=;id&type=file'
- Check system logs for unexpected command executions or crashes related to /cgi-bin/webfile_mgr.cgi.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the vulnerable endpoint /cgi-bin/webfile_mgr.cgi to trusted users only, such as by implementing network-level access controls or firewall rules.
Avoid exposing the D-Link DNS-320 device directly to untrusted networks or the internet.
Monitor and block suspicious POST requests that attempt to exploit the file operation functions.
If possible, update the device firmware to a version that patches this vulnerability or apply vendor-provided security updates.
As a temporary measure, disable or restrict the use of the affected file operation functions (delete, rename, copy, move, chmod, chown) if configurable.