CVE-2026-5214
Published: 31 March 2026
Summary
CVE-2026-5214 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Dlink Dnr-202L Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 16.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the stack-based buffer overflow flaw in the cgi_addgroup_get_group_quota_minsize function by applying firmware updates for affected D-Link NAS devices.
Validates the 'Name' argument in CGI inputs to prevent manipulation leading to stack-based buffer overflow.
Implements memory protections such as stack canaries and address space layout randomization to block arbitrary code execution from the buffer overflow.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stack-based buffer overflow in public-facing CGI script (/cgi-bin/account_mgr.cgi) on D-Link NAS devices enables remote code execution with no user interaction, directly mapping to exploitation of public-facing applications for initial access.
NVD Description
A vulnerability was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20260205. Impacted is the function cgi_addgroup_get_group_quota_minsize of the file /cgi-bin/account_mgr.cgi. The…
more
manipulation of the argument Name results in stack-based buffer overflow. The attack may be performed from remote. The exploit has been made public and could be used.
Deeper analysisAI
CVE-2026-5214 is a stack-based buffer overflow vulnerability affecting the cgi_addgroup_get_group_quota_minsize function in the /cgi-bin/account_mgr.cgi file across multiple D-Link Network Attached Storage (NAS) devices. Impacted models include DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05, and DNS-1550-04, with versions up to 20260205. The issue arises from manipulation of the "Name" argument and is classified under CWE-119, CWE-121, and CWE-787.
The vulnerability enables remote exploitation by an attacker with low privileges (PR:L), requiring low attack complexity, no user interaction, and no privileged scope change, as per its CVSS 3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). Successful exploitation could result in high-impact compromise of confidentiality, integrity, and availability, potentially allowing arbitrary code execution on the affected device.
Advisories on VulDB detail the vulnerability and reference a public exploit disclosure, including a GitHub repository at https://github.com/wudipjq/my_vuln/blob/main/D-Link8/vuln_169/169.md containing exploit information. Practitioners should consult these sources and the vendor site at https://www.dlink.com/ for any mitigation guidance or firmware updates. The exploit has been made public, increasing the risk of active targeting.
Details
- CWE(s)