CVE-2026-8273
Command Injection in D-Link DNS-320 Firmware
Publication date: 2026-05-11
Last updated on: 2026-05-11
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| d-link | dns-320 | to 2.06b01 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-8273 involves multiple OS command injection vulnerabilities in the D-Link DNS-320 ShareCenter NAS firmware version 2.06B01. These vulnerabilities affect several CGI binaries, including system_mgr.cgi, account_mgr.cgi, dsk_mgr.cgi, and app_mgr.cgi.
Specifically, functions such as cgi_set_host, cgi_set_ntp, cgi_fan_control, and cgi_merge_user in system_mgr.cgi are vulnerable. These flaws allow an attacker to remotely execute arbitrary operating system commands on the device with elevated privileges.
The vulnerabilities were discovered using automated symbolic execution and fuzzing techniques, and proof-of-concept exploits have demonstrated the ability to run commands on the affected system.
How can this vulnerability impact me? :
This vulnerability allows remote attackers to execute arbitrary OS commands on the affected D-Link DNS-320 device with elevated privileges.
Such unauthorized command execution can lead to full compromise of the device, including unauthorized access to data, disruption of device functionality, and potential use of the device as a foothold for further attacks within a network.
Because the attack can be initiated remotely without user interaction, it poses a significant security risk.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
CVE-2026-8273 involves multiple OS command injection vulnerabilities in several CGI binaries of the D-Link DNS-320 firmware version 2.06B01. Detection typically involves monitoring for unusual or unauthorized requests to the affected CGI endpoints such as /cgi-bin/system_mgr.cgi with parameters targeting functions like cgi_set_host, cgi_set_ntp, cgi_fan_control, and cgi_merge_user.
To detect exploitation attempts, you can inspect web server logs for suspicious HTTP requests containing command injection payloads targeting these CGI functions.
Example commands to check logs for suspicious activity might include:
- grep -i 'cgi_set_host' /var/log/httpd/access_log
- grep -i 'cgi_set_ntp' /var/log/httpd/access_log
- grep -i 'cgi_fan_control' /var/log/httpd/access_log
- grep -i 'cgi_merge_user' /var/log/httpd/access_log
Additionally, monitoring for unexpected command execution or elevated privilege activities on the device may help detect exploitation.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps for CVE-2026-8273 include restricting access to the vulnerable CGI endpoints on the D-Link DNS-320 device to trusted networks only.
Disabling or blocking remote access to the affected CGI functions (such as cgi_set_host, cgi_set_ntp, cgi_fan_control, and cgi_merge_user) can reduce the risk of exploitation.
If possible, apply any available firmware updates or patches from the vendor that address these vulnerabilities.
As a precaution, monitor the device for unusual activity and consider isolating it from untrusted networks until a fix is applied.