CVE-2026-4213

HighPublic PoC

Published: 16 March 2026

Published

16 March 2026

Modified

19 March 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0008 23.2th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-4213 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Dlink Dnr-202L Firmware. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mandates timely patching and remediation of the stack-based buffer overflow vulnerability in affected D-Link NAS firmware.

SI-10 Information Input Validation good match

prevent

Enforces validation of untrusted inputs to CGI functions like cgi_myfavorite_del_user and cgi_myfavorite_verify to prevent buffer overflow exploitation.

SI-16 Memory Protection good match

prevent

Implements memory protection mechanisms such as stack canaries, ASLR, and DEP to block exploitation of the stack-based buffer overflow.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

Stack-based buffer overflow in public-facing NAS web CGI (/cgi-bin/gui_mgr.cgi) with PR:L allows remote exploitation for RCE (T1190: Exploit Public-Facing Application) and subsequent privilege escalation to high impact (T1068: Exploitation for Privilege Escalation).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A vulnerability was detected in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20260205. This vulnerability affects the function cgi_myfavorite_del_user/cgi_myfavorite_verify of the file /cgi-bin/gui_mgr.cgi.…

Performing a manipulation results in stack-based buffer overflow. The attack may be initiated remotely. The exploit is now public and may be used.

Deeper analysisAI

CVE-2026-4213 is a stack-based buffer overflow vulnerability (associated with CWE-119, CWE-121, and CWE-787) in the functions cgi_myfavorite_del_user and cgi_myfavorite_verify within the file /cgi-bin/gui_mgr.cgi. It affects multiple D-Link NAS devices, including DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05, and DNS-1550-04, running firmware versions up to 20260205. The issue was published on 2026-03-16 and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

An attacker with low privileges can exploit this vulnerability remotely over the network with low attack complexity and no user interaction required. Manipulation of the affected CGI endpoints triggers the buffer overflow, potentially allowing the attacker to achieve high impacts on confidentiality, integrity, and availability, such as arbitrary code execution or denial of service.

Advisories and additional details are available via VulDB entries (ctiid.351124, id.351124, submit.770443) and GitHub repositories documenting the vulnerabilities. No specific patch or mitigation guidance is detailed in the initial disclosure.

The exploit is public and may be used, as noted in the vulnerability description, heightening risks for unpatched D-Link NAS devices exposed to the internet.

Details

CWE(s): CWE-119 CWE-121 CWE-787

Affected Products

dlink

dnr-202l firmware

≤ 2026-02-05

dlink

dnr-326 firmware

≤ 2026-02-05

dlink

dns-1100-4 firmware

≤ 2026-02-05

dlink

dns-120 firmware

≤ 2026-02-05

dlink

dns-1200-05 firmware

≤ 2026-02-05

dlink

dns-1550-04 firmware

≤ 2026-02-05

dlink

dns-315l firmware

≤ 2026-02-05

dlink

dns-320 firmware

≤ 2026-02-05

dlink

dns-320l firmware

≤ 2026-02-05

dlink

dns-320lw firmware

≤ 2026-02-05

+10 more product configuration(s) — see NVD for full list

CVEs Like This One

CVE-2026-4214Same product: Dlink Dnr-202L

CVE-2026-4212Same product: Dlink Dnr-202L

CVE-2026-5213Same product: Dlink Dnr-202L

CVE-2026-4211Same product: Dlink Dnr-202L

CVE-2026-5212Same product: Dlink Dnr-202L

CVE-2026-5214Same product: Dlink Dnr-202L

CVE-2026-5211Same product: Dlink Dnr-202L

CVE-2026-4194Same product: Dlink Dnr-202L

CVE-2026-4197Same product: Dlink Dnr-202L

CVE-2026-4196Same product: Dlink Dnr-202L

References

https://github.com/wudipjq/my_vuln/blob/main/D-Link8/vuln_162/162.md
Exploit, Third Party Advisory · cna@vuldb.com
https://github.com/wudipjq/my_vuln/blob/main/D-Link8/vuln_163/163.md
Exploit, Third Party Advisory · cna@vuldb.com
https://vuldb.com/?ctiid.351124
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.351124
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.770443
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.770444
Third Party Advisory, VDB Entry · cna@vuldb.com
https://www.dlink.com/
Product · cna@vuldb.com