CVE-2026-4180
Published: 16 March 2026
Summary
CVE-2026-4180 is a high-severity Incorrect Privilege Assignment (CWE-266) vulnerability in Dlink Dir-816 Firmware. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 8.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SA-22 (Unsupported System Components) and SC-7 (Boundary Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Prohibits the use of end-of-life unsupported system components like the D-Link DIR-816 router, eliminating exposure to unpatchable vulnerabilities such as CVE-2026-4180.
Monitors and controls communications at system boundaries to block remote unauthenticated access to the vulnerable redirect.asp endpoint on the exposed router web interface.
Validates the token_id argument input to the goahead web server component, preventing manipulation that leads to improper access controls.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes remote unauthenticated exploitation of improper access controls in a public-facing web server (goahead on router redirect.asp), directly enabling T1190 for initial access with limited C/I/A impact.
NVD Description
A vulnerability was identified in D-Link DIR-816 1.10CNB05. The impacted element is an unknown function of the file redirect.asp of the component goahead. The manipulation of the argument token_id leads to improper access controls. The attack may be initiated remotely.…
more
The exploit is publicly available and might be used. This vulnerability only affects products that are no longer supported by the maintainer.
Deeper analysisAI
CVE-2026-4180 is a vulnerability identified in the D-Link DIR-816 router running firmware version 1.10CNB05. It affects an unknown function within the file redirect.asp of the goahead web server component, where manipulation of the token_id argument leads to improper access controls. This issue, published on 2026-03-16, is classified under CWE-266 (Incorrect Privilege Assignment) and CWE-284 (Improper Access Control) and carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).
The vulnerability can be exploited remotely by unauthenticated attackers requiring low attack complexity and no user interaction. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, such as unauthorized access or minor disruptions. A proof-of-concept exploit is publicly available, increasing the risk of its use against vulnerable devices.
This vulnerability only affects products that are no longer supported by the maintainer, meaning no official patches or firmware updates are available. References from VulDB and a GitHub repository detail the issue and exploit, while the D-Link website provides general product information but no specific mitigation guidance for this end-of-life hardware. Security practitioners should prioritize network segmentation, exposure monitoring, and replacement of affected routers.
Details
- CWE(s)