CVE-2026-4204
Published: 16 March 2026
Summary
CVE-2026-4204 is a medium-severity Injection (CWE-74) vulnerability in Dlink Dnr-202L Firmware. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 31.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the CVE by requiring timely identification, reporting, and patching of the command injection flaw in affected D-Link NAS firmware versions up to 20260205.
Prevents command injection exploitation by enforcing validation and sanitization of the f_user argument in the vulnerable CGI functions like cgi_myfavorite_add.
Limits potential damage from low-privilege (PR:L) exploitation by ensuring accounts have only minimal privileges necessary for legitimate NAS management functions.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection in web CGI script on network-exposed NAS enables exploitation of public-facing application (T1190) and Unix shell command execution (T1059.004).
NVD Description
A flaw has been found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20260205. The affected element is the function cgi_myfavorite_add/cgi_myfavorite_set/cgi_myfavorite_del/cgi_myfavorite_set_sort_info/cgi_myfavorite_remove_apkg/cgi_myfavorite_compare_apkg/cgi_mycloud_auto_downlaod of the…
more
file /cgi-bin/gui_mgr.cgi. This manipulation of the argument f_user causes command injection. Remote exploitation of the attack is possible. The exploit has been published and may be used.
Deeper analysisAI
CVE-2026-4204 is a command injection vulnerability affecting multiple D-Link Network Attached Storage (NAS) devices, including models DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05, and DNS-1550-04 running firmware versions up to 20260205. The flaw resides in the /cgi-bin/gui_mgr.cgi script, specifically within functions such as cgi_myfavorite_add, cgi_myfavorite_set, cgi_myfavorite_del, cgi_myfavorite_set_sort_info, cgi_myfavorite_remove_apkg, cgi_myfavorite_compare_apkg, and cgi_mycloud_auto_downlaod. It stems from improper handling of the f_user argument, mapped to CWE-74 (Improper Neutralization of Special Elements) and CWE-77 (Command Injection), with a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).
Remote attackers with low-privilege access (PR:L) can exploit this vulnerability over the network without user interaction. By manipulating the f_user argument in the affected CGI endpoints, attackers can inject arbitrary commands, potentially leading to limited impacts on confidentiality, integrity, and availability, such as unauthorized data access, modification of system files, or denial of service on the targeted NAS device.
Advisories and details are available via VulDB entries (ctiid.351116, id.351116, submit.770409) and a GitHub repository documenting the vulnerability and proof-of-concept exploit. The D-Link website provides general support resources, though specific patch information for affected firmware is not detailed in the CVE data. Security practitioners should consult these references for mitigation guidance and verify firmware updates beyond 20260205. An exploit has been publicly released, increasing the risk of active exploitation.
Details
- CWE(s)