CVE-2026-4214 in DNS-120
Summary
by MITRE • 03/16/2026
A flaw has been found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20260205. This issue affects the function UPnP_AV_Server_Path_Setting of the file /cgi-bin/app_mgr.cgi. Executing a manipulation can lead to stack-based buffer overflow. The attack may be launched remotely. The exploit has been published and may be used.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 03/21/2026
This vulnerability affects multiple D-Link network storage devices including various DNS and DNR models from the 20260205 firmware release and earlier versions. The flaw exists within the UPnP_AV_Server_Path_Setting function of the /cgi-bin/app_mgr.cgi file which handles Universal Plug and Play audio/video server path configuration. The vulnerability manifests as a stack-based buffer overflow that occurs when processing manipulated input parameters sent to this specific function. This type of vulnerability falls under CWE-121 which describes stack-based buffer overflow conditions where insufficient bounds checking allows attackers to overwrite adjacent memory locations on the program stack. The attack vector is remote, meaning an attacker can exploit this vulnerability without requiring physical access to the device or local network presence.
The operational impact of this vulnerability is significant as it allows for arbitrary code execution on affected devices. Successful exploitation could enable attackers to gain full control over the network storage devices, potentially leading to data theft, network compromise, or use as a pivot point for further attacks within the network infrastructure. The fact that the exploit has been published increases the risk level substantially as it removes the requirement for advanced exploitation techniques. This vulnerability directly maps to ATT&CK technique T1059.007 which covers command and scripting interpreter for remote code execution, and T1041 which addresses data compression and encryption for exfiltration purposes. The affected devices serve as network storage solutions that may contain sensitive corporate or personal data, making them attractive targets for cybercriminals seeking unauthorized access to storage resources.
Mitigation strategies should include immediate firmware updates from D-Link to address the buffer overflow vulnerability, network segmentation to isolate affected devices from critical systems, and implementation of network monitoring to detect suspicious traffic patterns targeting the UPnP service. Organizations should also disable UPnP functionality on affected devices if it is not required for operations, as this would eliminate the attack surface. Additionally, regular vulnerability assessments should be conducted to identify other potentially affected devices on the network, and security teams should monitor for any new exploits or indicators of compromise related to this specific vulnerability. The vulnerability represents a critical risk that requires immediate attention due to the published exploit and the potential for widespread compromise across multiple device models in the D-Link product line.