Cyber Resilience

CVE-2026-4627

HighRCE

Published: 24 March 2026

Published
24 March 2026
Modified
24 April 2026
KEV Added
Patch
CVSS Score v4 8.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0202 78.5th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-4627 is a high-severity Command Injection (CWE-77) vulnerability in Dlink (inferred from references). Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Network Device CLI (T1059.008); ranked in the top 21.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SA-22 (Unsupported System Components) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-4627 is an OS command injection vulnerability (CWE-77, CWE-78) affecting the handler_update_system_time function in the libdeuteron_modules.so file, which is part of the NTP Service component on D-Link DIR-825 and DIR-825R routers running firmware versions 1.0.5 and 4.5.1. Published on 2026-03-24, it carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H). This issue only impacts products that are no longer supported by the maintainer.

The vulnerability enables remote exploitation over the network with low attack complexity, though it requires high privileges (PR:H) and no user interaction. An attacker with sufficient access can manipulate inputs to inject and execute arbitrary operating system commands, achieving high impacts on confidentiality, integrity, and availability.

VulDB advisories (e.g., https://vuldb.com/?ctiid.352495, https://vuldb.com/?id.352495) document the vulnerability details and submission, while the D-Link website (https://www.dlink.com/) is referenced generally. No patches are available, as the affected products are unsupported by the maintainer.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A vulnerability was found in D-Link DIR-825 and DIR-825R 1.0.5/4.5.1. Affected is the function handler_update_system_time of the file libdeuteron_modules.so of the component NTP Service. The manipulation results in os command injection. The attack may be launched remotely. This vulnerability only…

more

affects products that are no longer supported by the maintainer.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059.008 Network Device CLI Execution
Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

OS command injection in network device NTP/web handler directly enables arbitrary command execution via Network Device CLI (T1059.008) and exploitation of a remotely accessible management interface (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-7123Shared CWE-77, CWE-78
CVE-2026-6114Shared CWE-77, CWE-78
CVE-2026-2082Shared CWE-77, CWE-78
CVE-2026-5997Shared CWE-77, CWE-78
CVE-2025-15254Shared CWE-77, CWE-78
CVE-2025-1819Shared CWE-77, CWE-78
CVE-2026-7243Shared CWE-77, CWE-78
CVE-2026-1506Shared CWE-77, CWE-78
CVE-2026-3696Shared CWE-77, CWE-78
CVE-2026-6154Shared CWE-77, CWE-78

Affected Assets

Dlink
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly validates inputs to the handler_update_system_time function in the NTP service to block OS command injection exploits.

prevent

Requires replacement, prohibition, or isolation of unsupported D-Link DIR-825 and DIR-825R routers with this unpatched vulnerability.

prevent

Enforces least privilege to limit high-privilege (PR:H) access required for remote exploitation of the NTP service command injection.

References