Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-4204

CVE-2026-4204: D-Link DNR-202L Firmware RCE Vulnerability

CVE-2026-4204 is a remote code execution vulnerability in D-Link DNR-202L Firmware caused by command injection in the cgi_myfavorite functions. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-4204 Overview

A command injection vulnerability has been discovered in multiple D-Link NAS (Network Attached Storage) devices affecting firmware versions up to 20260205. The vulnerability exists in the /cgi-bin/gui_mgr.cgi file, specifically within multiple CGI functions including cgi_myfavorite_add, cgi_myfavorite_set, cgi_myfavorite_del, cgi_myfavorite_set_sort_info, cgi_myfavorite_remove_apkg, cgi_myfavorite_compare_apkg, and cgi_mycloud_auto_downlaod. Improper handling of the f_user argument allows authenticated attackers to inject and execute arbitrary commands on the affected devices.

Critical Impact

Authenticated attackers can remotely execute arbitrary commands on vulnerable D-Link NAS devices, potentially leading to full device compromise, data theft, or network lateral movement.

Affected Products

  • D-Link DNS-120, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321 NAS Devices
  • D-Link DNS-323, DNS-325, DNS-326, DNS-327L, DNS-340L, DNS-343, DNS-345 NAS Devices
  • D-Link DNS-726-4, DNS-1100-4, DNS-1200-05, DNS-1550-04 Enterprise NAS Devices
  • D-Link DNR-202L, DNR-322L, DNR-326 Network Video Recorders
  • All affected device firmware versions up to 20260205

Discovery Timeline

  • 2026-03-16 - CVE-2026-4204 published to NVD
  • 2026-03-19 - Last updated in NVD database

Technical Details for CVE-2026-4204

Vulnerability Analysis

This command injection vulnerability (CWE-77) affects the web management interface of D-Link NAS devices. The vulnerable CGI handler in /cgi-bin/gui_mgr.cgi fails to properly sanitize user-supplied input in the f_user parameter before passing it to system shell commands. An authenticated attacker with network access to the device's web interface can craft malicious requests containing shell metacharacters to execute arbitrary commands with the privileges of the web server process, typically running as root on these embedded devices.

The vulnerability affects multiple related functions within the favorites management functionality, suggesting a shared underlying code path that lacks proper input validation. This pattern of multiple vulnerable entry points to the same injection sink is common in embedded device firmware where code reuse is prevalent without consistent security controls.

Root Cause

The root cause is improper input validation (CWE-74) in the CGI handler functions. The f_user parameter is concatenated directly into shell commands without sanitization or escaping of shell metacharacters. This allows injection of additional shell commands through techniques such as command chaining using semicolons, backticks for command substitution, or pipe operators.

Attack Vector

The attack is network-based and requires low-privileged authentication to the device's web management interface. An attacker must first authenticate to the NAS device, then send specially crafted HTTP requests to the /cgi-bin/gui_mgr.cgi endpoint with malicious payloads in the f_user parameter. The injected commands execute in the context of the web server, which typically runs with elevated privileges on these devices.

The vulnerability can be triggered through any of the affected CGI functions (cgi_myfavorite_add, cgi_myfavorite_set, cgi_myfavorite_del, etc.), providing multiple attack vectors to the same underlying vulnerability. An exploit for this vulnerability has been publicly disclosed, increasing the risk of active exploitation.

Detection Methods for CVE-2026-4204

Indicators of Compromise

  • Suspicious HTTP requests to /cgi-bin/gui_mgr.cgi containing shell metacharacters (;, |, backticks, $()) in the f_user parameter
  • Unexpected outbound network connections from D-Link NAS devices to unknown IP addresses
  • Anomalous process execution on NAS devices, particularly shells spawned from web server processes
  • Modified system files, unauthorized user accounts, or persistence mechanisms on the NAS device

Detection Strategies

  • Monitor web server logs on D-Link NAS devices for requests containing command injection patterns in CGI parameters
  • Deploy network intrusion detection signatures to identify command injection attempts targeting /cgi-bin/gui_mgr.cgi
  • Implement egress filtering to detect and block unauthorized outbound connections from NAS devices
  • Use endpoint detection to identify anomalous process trees originating from the web server service

Monitoring Recommendations

  • Enable and centralize logging from all D-Link NAS device web interfaces
  • Monitor for authentication anomalies and brute-force attempts against NAS device management interfaces
  • Implement network segmentation monitoring to detect lateral movement from compromised NAS devices
  • Review NAS device configurations periodically for unauthorized changes or new user accounts

How to Mitigate CVE-2026-4204

Immediate Actions Required

  • Restrict network access to D-Link NAS web management interfaces using firewall rules or network segmentation
  • Disable remote management access if not required and limit access to trusted administrative networks only
  • Audit existing user accounts on affected devices and remove unnecessary accounts
  • Monitor affected devices for signs of compromise and anomalous activity

Patch Information

As of the last update, no official patch has been released by D-Link for this vulnerability. Organizations should consult the D-Link Official Website for the latest security advisories and firmware updates. Many of the affected devices are legacy products that may have reached end-of-life status and may not receive patches.

Additional technical details can be found in the GitHub Vulnerability Documentation and the VulDB entry.

Workarounds

  • Place affected NAS devices behind a firewall and restrict access to the management interface to trusted IP addresses only
  • Implement a VPN requirement for remote administrative access to NAS devices rather than exposing the web interface directly
  • Consider replacing end-of-life D-Link NAS devices with supported alternatives that receive regular security updates
  • If the device must remain in use, implement network-level input filtering to block requests containing common command injection patterns
bash
# Example iptables rules to restrict NAS management access
# Replace 192.168.1.100 with your NAS IP and 192.168.1.0/24 with trusted admin network

# Allow management access only from trusted admin network
iptables -A INPUT -d 192.168.1.100 -p tcp --dport 80 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -d 192.168.1.100 -p tcp --dport 443 -s 192.168.1.0/24 -j ACCEPT

# Block all other management access
iptables -A INPUT -d 192.168.1.100 -p tcp --dport 80 -j DROP
iptables -A INPUT -d 192.168.1.100 -p tcp --dport 443 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne