CVE-2026-4194

Description

A vulnerability was detected in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20260205. The impacted element is the function cgi_set_wto of the file /cgi-bin/system_mgr.cgi. Performing a manipulation results in improper access controls. Remote exploitation of the attack is possible. The exploit is now public and may be used.

CVSS Details

CVSS Score

7.3

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

cpe:2.3:o:dlink:dnr-202l_firmware:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:dlink:dnr-202l:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:dlink:dnr-326_firmware:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:dlink:dnr-326:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:dlink:dns-1100-4_firmware:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:dlink:dns-1100-4:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:dlink:dns-120_firmware:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:dlink:dns-120:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:dlink:dns-1200-05_firmware:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:dlink:dns-1200-05:-:*:*:*:*:*:*:* - NOT VULNERABLE

D-Link DNS-120 < 最新固件版本

D-Link DNR-202L < 最新固件版本

D-Link DNS-315L < 最新固件版本

D-Link DNS-320 < 最新固件版本

D-Link DNS-320L < 最新固件版本

D-Link DNS-320LW < 最新固件版本

D-Link DNS-321 < 最新固件版本

D-Link DNR-322L < 最新固件版本

D-Link DNS-323 < 最新固件版本

D-Link DNS-325 < 最新固件版本

D-Link DNS-326 < 最新固件版本

D-Link DNS-327L < 最新固件版本

D-Link DNR-326 < 最新固件版本

D-Link DNS-340L < 最新固件版本

D-Link DNS-343 < 最新固件版本

D-Link DNS-345 < 最新固件版本

D-Link DNS-726-4 < 最新固件版本

D-Link DNS-1100-4 < 最新固件版本

D-Link DNS-1200-05 < 最新固件版本

D-Link DNS-1550-04 < 最新固件版本

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

target = 'http://target-ip/cgi-bin/system_mgr.cgi'
payload = {'function': 'cgi_set_wto', 'param': 'value'}
response = requests.post(target, data=payload)
print(response.text)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-4194
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-4194
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-4194/
[4] VulDB https://vuldb.com/cve/CVE-2026-4194
[5] https://github.com/wudipjq/my_vuln/blob/main/D-Link8/vuln_96/96.md
[6] https://vuldb.com/?ctiid.351106
[7] https://vuldb.com/?id.351106
[8] https://vuldb.com/?submit.769853
[9] https://www.dlink.com/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-4194", "sourceIdentifier": "[email protected]", "published": "2026-03-16T14:20:03.150", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was detected in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20260205. The impacted element is the function cgi_set_wto of the file /cgi-bin/system_mgr.cgi. Performing a manipulation results in improper access controls. Remote exploitation of the attack is possible. The exploit is now public and may be used."}, {"lang": "es", "value": "Se detectó una vulnerabilidad en D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 y DNS-1550-04 hasta el 20260205. El elemento afectado es la función cgi_set_wto del archivo /cgi-bin/system_mgr.cgi. Realizar una manipulación resulta en controles de acceso inadecuados. La explotación remota del ataque es posible. El exploit es ahora público y puede ser utilizado."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "baseScore": 7.5, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-266"}, {"lang": "en", "value": "CWE-284"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:dlink:dnr-202l_firmware:*:*:*:*:*:*:*:*", "versionEndIncluding": "2026-02-05", "matchCriteriaId": "E20A03F5-6985-4917-8E5B-48963FB62AF2"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:dlink:dnr-202l:-:*:*:*:*:*:*:*", "matchCriteriaId": "07A92F2C-16FD-4A53-8066-83FEC2818DF5"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", ... (truncated)