CVE-2026-4209
Published: 16 March 2026
Summary
CVE-2026-4209 is a medium-severity Injection (CWE-74) vulnerability in Dlink Dnr-202L Firmware. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 34.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Implements input validation at CGI endpoints to directly prevent command injection via manipulated parameters in account management functions.
Requires timely identification, reporting, and correction of the specific command injection flaw in vulnerable D-Link NAS firmware.
Enforces restrictions on input types, formats, and quantities to block malicious payloads targeting the account_mgr.cgi functions.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection in public-facing CGI endpoints on D-Link NAS devices enables exploitation of public-facing applications (T1190) and arbitrary Unix shell command execution (T1059.004).
NVD Description
A vulnerability was identified in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20260205. Affected is the function cgi_create_import_users/cgi_user_batch_create/cgi_user_set_quota/cgi_user_del/cgi_user_modify/cgi_group_set_quota/cgi_group_modify/cgi_group_add/cgi_user_add/cgi_get_modify_group_info/cgi_chg_admin_pw of the file /cgi-bin/account_mgr.cgi. The…
more
manipulation leads to command injection. It is possible to initiate the attack remotely. The exploit is publicly available and might be used.
Deeper analysisAI
CVE-2026-4209 is a command injection vulnerability affecting multiple D-Link network-attached storage (NAS) devices, including models DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05, and DNS-1550-04 running firmware up to version 20260205. The flaw exists in multiple functions within the /cgi-bin/account_mgr.cgi file, such as cgi_create_import_users, cgi_user_batch_create, cgi_user_set_quota, cgi_user_del, cgi_user_modify, cgi_group_set_quota, cgi_group_modify, cgi_group_add, cgi_user_add, cgi_get_modify_group_info, and cgi_chg_admin_pw. It is classified under CWE-74 and CWE-77, with a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).
The vulnerability enables remote exploitation by an attacker with low privileges (PR:L), who can manipulate inputs to the affected CGI endpoints to inject and execute arbitrary commands on the device. Successful exploitation could result in limited impacts to confidentiality, integrity, and availability, such as unauthorized data access, modification, or disruption of services. A public exploit is available, heightening the risk for exposed devices.
Advisories and details are available via VulDB (ctiid.351120, id.351120, submit.770429) and GitHub repositories documenting the vulnerabilities (wudipjq/my_vuln D-Link8/vuln_148/148.md and vuln_149/149.md), which may provide further guidance on identification and remediation.
The public availability of an exploit underscores the potential for real-world attacks against unpatched D-Link NAS deployments still running vulnerable firmware.
Details
- CWE(s)