Cyber Resilience

CVE-2026-4207

MediumPublic PoC

Published: 16 March 2026

Published
16 March 2026
Modified
19 March 2026
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0377 88.5th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-4207 is a medium-severity Injection (CWE-74) vulnerability in Dlink Dnr-202L Firmware. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 11.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-4207 is a command injection vulnerability affecting multiple D-Link Network Attached Storage (NAS) devices, including DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05, and DNS-1550-04, with firmware versions up to 20260205. The issue resides in the cgi_device, cgi_sms_test, cgi_firmware_upload, and cgi_ntp_time functions within the /cgi-bin/system_mgr.cgi file, classified under CWE-74 and CWE-77. It carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).

The vulnerability can be exploited remotely by an attacker with low privileges (PR:L), requiring low attack complexity and no user interaction. Successful manipulation leads to command injection, potentially granting limited impacts on confidentiality, integrity, and availability (C:L/I:L/A:L). The exploit has been publicly disclosed, increasing the risk of exploitation against exposed devices.

References include GitHub repositories (https://github.com/wudipjq/my_vuln/blob/main/D-Link8/vuln_141/141.md and https://github.com/wudipjq/my_vuln/blob/main/D-Link8/vuln_142/142.md) detailing the vulnerability, along with VulDB entries (https://vuldb.com/?ctiid.351119, https://vuldb.com/?id.351119, https://vuldb.com/?submit.770420). No specific patch or mitigation details are outlined in the available information.

The public disclosure of the exploit underscores the need for immediate firmware updates where available and network segmentation for affected D-Link NAS devices.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A vulnerability was determined in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20260205. This impacts the function cgi_device/cgi_sms_test/cgi_firmware_upload/cgi_ntp_time of the file /cgi-bin/system_mgr.cgi. Executing…

more

a manipulation can lead to command injection. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Command injection in public-facing NAS web CGI (/cgi-bin/system_mgr.cgi) enables exploitation of public-facing application (T1190) for remote Unix shell command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-4204Same product: Dlink Dnr-202L
CVE-2026-4197Same product: Dlink Dnr-202L
CVE-2026-4195Same product: Dlink Dnr-202L
CVE-2026-4206Same product: Dlink Dnr-202L
CVE-2026-4209Same product: Dlink Dnr-202L
CVE-2026-4196Same product: Dlink Dnr-202L
CVE-2026-4210Same product: Dlink Dnr-202L
CVE-2026-4203Same product: Dlink Dnr-202L
CVE-2026-4205Same product: Dlink Dnr-202L
CVE-2026-5212Same product: Dlink Dnr-202L

Affected Assets

dlink
dnr-202l firmware
≤ 2026-02-05
dlink
dnr-326 firmware
≤ 2026-02-05
dlink
dns-1100-4 firmware
≤ 2026-02-05
dlink
dns-120 firmware
≤ 2026-02-05
dlink
dns-1200-05 firmware
≤ 2026-02-05
dlink
dns-1550-04 firmware
≤ 2026-02-05
dlink
dns-315l firmware
≤ 2026-02-05
dlink
dns-320 firmware
≤ 2026-02-05
dlink
dns-320l firmware
≤ 2026-02-05
dlink
dns-320lw firmware
≤ 2026-02-05
+10 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Flaw remediation requires applying vendor firmware updates or patches to directly eliminate the command injection vulnerability in the affected D-Link NAS devices' system_mgr.cgi functions.

prevent

Information input validation ensures user-supplied inputs to vulnerable CGI functions like cgi_firmware_upload and cgi_ntp_time are checked and sanitized to block command injection payloads.

prevent

Least privilege restricts the privileges of low-privilege accounts (PR:L) required for exploitation, limiting the potential impact of any successful command injection on confidentiality, integrity, and availability.

References