CVE-2026-4203 in DNS-120
Summary
by MITRE • 03/16/2026
A vulnerability was detected in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20260205. Impacted is the function cgi_portforwarding_add/cgi_portforwarding_del/cgi_portforwarding_modify/cgi_portforwarding_add_scan/cgi_dhcpd_lease/cgi_ddns/cgi_ip/cgi_dhcpd of the file /cgi-bin/network_mgr.cgi. The manipulation results in command injection. The attack may be launched remotely. The exploit is now public and may be used.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 03/21/2026
This vulnerability exists within multiple D-Link network storage devices including various DNS and DNR models, specifically affecting firmware versions up to 20260205. The affected devices are part of the company's network attached storage and router product line, making them critical infrastructure components in both home and small office environments. The vulnerability stems from improper input validation within the network manager CGI script, specifically in functions related to port forwarding management and network configuration operations.
The technical flaw manifests as a command injection vulnerability within the /cgi-bin/network_mgr.cgi file where multiple functions including cgi_portforwarding_add, cgi_portforwarding_del, cgi_portforwarding_modify, cgi_portforwarding_add_scan, cgi_dhcpd_lease, cgi_ddns, cgi_ip, and cgi_dhcpd are susceptible to malicious input manipulation. When these functions process user-supplied parameters without adequate sanitization, attackers can inject arbitrary commands that execute with the privileges of the web server process. This represents a critical security weakness that aligns with CWE-77 and CWE-94, which respectively cover improper neutralization of special elements used in command execution and improper control of generation of code.
The operational impact of this vulnerability is severe as it allows remote attackers to execute arbitrary commands on affected devices without authentication. This creates a pathway for attackers to gain complete control over the network storage appliances, potentially enabling them to modify network configurations, establish persistent backdoors, or use the devices as launching points for attacks against other systems within the network. The vulnerability's public exploit availability significantly increases the risk surface, as it can be leveraged by both skilled attackers and automated malware. The attack vector is particularly concerning because it operates over the network without requiring any authentication credentials, making it accessible to anyone who can reach the device's web interface.
Security professionals should immediately implement network segmentation to isolate affected devices from critical systems and apply firmware updates from D-Link as soon as they become available. Network monitoring should be enhanced to detect suspicious traffic patterns that might indicate exploitation attempts, particularly looking for unusual command execution patterns or attempts to modify port forwarding rules. Organizations should also consider implementing web application firewalls to filter malicious requests targeting the vulnerable CGI functions. The vulnerability demonstrates the importance of input validation and output encoding practices as outlined in the OWASP Top Ten and aligns with ATT&CK techniques related to command and scripting interpreter execution, as well as privilege escalation through web application vulnerabilities. Given the widespread deployment of these devices, the vulnerability represents a significant risk to network security and requires immediate attention from system administrators across all affected deployments.