Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-4205

CVE-2026-4205: D-Link DNR-202L Firmware RCE Vulnerability

CVE-2026-4205 is a remote code execution flaw in D-Link DNR-202L Firmware affecting multiple D-Link devices. Attackers can exploit command injection via app_mgr.cgi remotely. This article covers technical details, affected versions, impact, and mitigation.

Updated:

CVE-2026-4205 Overview

CVE-2026-4205 is a command injection vulnerability affecting a wide range of D-Link network-attached storage (NAS) products, including the DNS-120, DNR-202L, DNS-315L, DNS-320 series, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05, and DNS-1550-04 up to firmware version 20260205. The flaw resides in the cgi_refresh_db, FTP_Server_BlockIP_Add, and FTP_Server_BlockIP_Del functions of /cgi-bin/app_mgr.cgi. Attackers can manipulate input to inject operating system commands remotely. The exploit has been publicly disclosed.

Critical Impact

Authenticated remote attackers can inject shell commands through app_mgr.cgi, gaining the ability to execute arbitrary OS commands on affected D-Link NAS appliances.

Affected Products

  • D-Link DNS-120, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNS-323, DNS-325, DNS-326, DNS-327L
  • D-Link DNR-202L, DNR-322L, DNR-326, DNS-340L, DNS-343, DNS-345
  • D-Link DNS-726-4, DNS-1100-4, DNS-1200-05, DNS-1550-04 (firmware up to 20260205)

Discovery Timeline

  • 2026-03-16 - CVE-2026-4205 published to NVD
  • 2026-04-29 - Last updated in NVD database

Technical Details for CVE-2026-4205

Vulnerability Analysis

The vulnerability resides in /cgi-bin/app_mgr.cgi, a CGI binary handling application management on D-Link NAS devices. Three functions — cgi_refresh_db, FTP_Server_BlockIP_Add, and FTP_Server_BlockIP_Del — accept attacker-controlled parameters and pass them into shell command execution without proper sanitization. This permits OS command injection [CWE-77] and improper neutralization of special elements [CWE-74].

A remote attacker with low-privilege credentials can submit crafted HTTP requests targeting these endpoints. Shell metacharacters embedded in the request parameters are interpreted by the underlying shell, leading to arbitrary command execution in the context of the CGI process. Because D-Link NAS appliances often run web services as a privileged account, the injected commands typically run with elevated privileges on the device.

The affected product line includes legacy NAS hardware that is widely deployed in small business and home environments. Public exploit disclosure increases the likelihood of opportunistic scanning against exposed devices.

Root Cause

The root cause is unsanitized incorporation of HTTP request parameters into shell command strings within the three vulnerable handlers in app_mgr.cgi. The functions concatenate user-supplied values into commands executed by the system shell, allowing characters such as ;, |, &, and backticks to break out of the intended command context.

Attack Vector

The attack is network-based and requires low privileges. An attacker sends an HTTP request to /cgi-bin/app_mgr.cgi invoking cgi_refresh_db, FTP_Server_BlockIP_Add, or FTP_Server_BlockIP_Del with parameter values containing shell metacharacters. The injected commands execute on the NAS, enabling actions such as configuration tampering, credential theft, persistence installation, or pivoting to other systems on the local network. The EPSS score is 0.216% (percentile 44.016) as of 2026-05-14.

No verified proof-of-concept code is reproduced here. Technical detail is available in the public references, including GitHub Vulnerability Report #131 and GitHub Vulnerability Report #132.

Detection Methods for CVE-2026-4205

Indicators of Compromise

  • HTTP POST or GET requests to /cgi-bin/app_mgr.cgi containing shell metacharacters (;, |, &, `, $() in parameters related to cgi_refresh_db, FTP_Server_BlockIP_Add, or FTP_Server_BlockIP_Del.
  • Unexpected outbound connections from NAS devices to unknown IP addresses, particularly to download secondary payloads such as shell scripts or binaries.
  • New cron jobs, modified startup scripts, or unfamiliar processes running on D-Link NAS appliances.

Detection Strategies

  • Inspect web server and reverse proxy logs in front of NAS devices for requests to app_mgr.cgi containing URL-encoded shell metacharacters.
  • Deploy network IDS signatures matching command injection patterns targeting D-Link CGI endpoints.
  • Baseline normal administrative activity on NAS devices and alert on deviations such as off-hours configuration changes or new firmware modifications.

Monitoring Recommendations

  • Forward NAS web access logs to a centralized log platform for retention and correlation with broader network telemetry.
  • Monitor authentication events on management interfaces for credential-stuffing or brute-force activity that may precede exploitation.
  • Continuously inventory D-Link NAS firmware versions on the network and flag any appliance running firmware at or below 20260205.

How to Mitigate CVE-2026-4205

Immediate Actions Required

  • Remove all affected D-Link NAS devices from the public internet and restrict management access to trusted administrative networks only.
  • Rotate administrative credentials on all affected appliances to limit the value of any previously captured low-privilege accounts.
  • Audit configurations, scheduled tasks, and stored data for signs of tampering on devices exposed to the internet prior to remediation.

Patch Information

Many of the affected models, including the DNS-320, DNS-323, DNS-325, and DNS-345, have reached end-of-life status and may not receive vendor patches. Consult the D-Link Official Website and the VulDB advisory for the latest vendor guidance and any firmware updates for supported models. Where no patch is available, replace the appliance with a supported product.

Workarounds

  • Place affected NAS devices behind a firewall and block external access to the web management interface (typically TCP/80 and TCP/443).
  • Disable remote management features and FTP services on the device if they are not required for business operations.
  • Segment NAS appliances into a dedicated VLAN with strict ACLs preventing inbound access from user workstations and untrusted networks.
bash
# Configuration example: restrict NAS management access with iptables on an upstream gateway
iptables -A FORWARD -p tcp -d <NAS_IP> --dport 80 -s <ADMIN_SUBNET> -j ACCEPT
iptables -A FORWARD -p tcp -d <NAS_IP> --dport 443 -s <ADMIN_SUBNET> -j ACCEPT
iptables -A FORWARD -p tcp -d <NAS_IP> --dport 80 -j DROP
iptables -A FORWARD -p tcp -d <NAS_IP> --dport 443 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne