Submit #810082: D-Link Corporation DNS-320 ShareCenter NAS (Rev.A) Firmware 2.06B01 HOTFIX CWE-78: OS Command Injectioninfo

TitleD-Link Corporation DNS-320 ShareCenter NAS (Rev.A) Firmware 2.06B01 HOTFIX CWE-78: OS Command Injection
DescriptionMultiple OS command injection vulnerabilities across 4 CGI binaries in D-Link DNS-320 firmware 2.06B01: system_mgr.cgi: - cgi_set_host (0xaf28): "/bin/hostname %s" via hostname — CONFIRMED - cgi_set_ntp (0xf53c): "(sntp -r %s) &" via f_ntp_server — CONFIRMED - cgi_fan_control (0xae0c): "fan_control %s c &" via f_fan_type - cgi_merge_user (0xbe00): "tail -n %s" via total account_mgr.cgi: - cgi_import_users (0xa678): "account_mgr -t '%s'" via app — CONFIRMED - cgi_batch_add (0xaa84): via f_prefix, f_start, f_number dsk_mgr.cgi: - cgi_scan_disk (0xede4): "scandisk -p %s" via f_dev — CONFIRMED - cgi_raid_rebuild (0xdb40): via f_raidlevel, f_dev app_mgr.cgi: - cgi_ftp_stop (0xdcc4): "ftp -z %s" via f_ip — CONFIRMED - cgi_ftp_start (0xf1e8): via f_ip, f_permanent - cgi_sqldb (0xf430): via f_dir, f_function Verification: 5 of 11 functions CONFIRMED by Unicorn Fuzzer.
Source⚠️ https://github.com/dxz0069/WAVLINK-WN530H4-Command-Injection-in-set_add_routing/blob/main/D-Link%20DNS-320%20%20system_mgraccount_mgrdsk_mgrapp_mgr%20Multiple%20CGI%20OS%20Command%20Injection.md
User
 ST4R (UID 96634)
Submission04/22/2026 12:16 (3 months ago)
Moderation05/10/2026 17:54 (18 days later)
StatusAccepted
VulDB entry362570 [D-Link DNS-320 2.06B01 /cgi-bin/system_mgr.cgi os command injection]
Points20

Interested in the pricing of exploits?

See the underground prices here!