Cyber Posture

CVE-2026-4627

HighRCE

Published: 24 March 2026

Published
24 March 2026
Modified
24 April 2026
KEV Added
Patch
CVSS Score 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0035 57.6th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-4627 is a high-severity Command Injection (CWE-77) vulnerability in Dlink (inferred from references). Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Network Device CLI (T1059.008); ranked in the top 42.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SA-22 (Unsupported System Components) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Network Device CLI (T1059.008) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly validates inputs to the handler_update_system_time function in the NTP service to block OS command injection exploits.

SA-22 Unsupported System Components good match
prevent

Requires replacement, prohibition, or isolation of unsupported D-Link DIR-825 and DIR-825R routers with this unpatched vulnerability.

AC-6 Least Privilege partial match
prevent

Enforces least privilege to limit high-privilege (PR:H) access required for remote exploitation of the NTP service command injection.

MITRE ATT&CK Enterprise TechniquesAI

T1059.008 Network Device CLI Execution
Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.
attack.mitre.org →
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

OS command injection in network device NTP/web handler directly enables arbitrary command execution via Network Device CLI (T1059.008) and exploitation of a remotely accessible management interface (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A vulnerability was found in D-Link DIR-825 and DIR-825R 1.0.5/4.5.1. Affected is the function handler_update_system_time of the file libdeuteron_modules.so of the component NTP Service. The manipulation results in os command injection. The attack may be launched remotely. This vulnerability only…

more

affects products that are no longer supported by the maintainer.

Deeper analysisAI

CVE-2026-4627 is an OS command injection vulnerability (CWE-77, CWE-78) affecting the handler_update_system_time function in the libdeuteron_modules.so file, which is part of the NTP Service component on D-Link DIR-825 and DIR-825R routers running firmware versions 1.0.5 and 4.5.1. Published on 2026-03-24, it carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H). This issue only impacts products that are no longer supported by the maintainer.

The vulnerability enables remote exploitation over the network with low attack complexity, though it requires high privileges (PR:H) and no user interaction. An attacker with sufficient access can manipulate inputs to inject and execute arbitrary operating system commands, achieving high impacts on confidentiality, integrity, and availability.

VulDB advisories (e.g., https://vuldb.com/?ctiid.352495, https://vuldb.com/?id.352495) document the vulnerability details and submission, while the D-Link website (https://www.dlink.com/) is referenced generally. No patches are available, as the affected products are unsupported by the maintainer.

Details

CWE(s)
CWE-77CWE-78

Affected Products

Dlink
inferred from references and description; NVD did not file a CPE for this CVE

CVEs Like This One

CVE-2026-5978Shared CWE-77, CWE-78
CVE-2026-5351Shared CWE-77, CWE-78
CVE-2026-3040Shared CWE-77, CWE-78
CVE-2026-4499Shared CWE-77, CWE-78
CVE-2026-6115Shared CWE-77, CWE-78
CVE-2026-6132Shared CWE-77, CWE-78
CVE-2026-7243Shared CWE-77, CWE-78
CVE-2025-7407Shared CWE-77, CWE-78
CVE-2026-6154Shared CWE-77, CWE-78
CVE-2026-7153Shared CWE-77, CWE-78

References