CVE-2026-4210

Summary

A security flaw has been discovered in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20260205. Affected by this vulnerability is the function cgi_tm_set_share of the file /cgi-bin/time_machine.cgi. The manipulation of the argument Name results in command injection. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks.

Affected Software

VendorProductVersion RangeStatus
D-LinkDNS-12020260205affected
D-LinkDNR-202L20260205affected
D-LinkDNS-315L20260205affected
D-LinkDNS-32020260205affected
D-LinkDNS-320L20260205affected
D-LinkDNS-320LW20260205affected
D-LinkDNS-32120260205affected
D-LinkDNR-322L20260205affected
D-LinkDNS-32320260205affected
D-LinkDNS-32520260205affected
D-LinkDNS-32620260205affected
D-LinkDNS-327L20260205affected
D-LinkDNR-32620260205affected
D-LinkDNS-340L20260205affected
D-LinkDNS-34320260205affected
D-LinkDNS-34520260205affected
D-LinkDNS-726-420260205affected
D-LinkDNS-1100-420260205affected
D-LinkDNS-1200-0520260205affected
D-LinkDNS-1550-0420260205affected

Weaknesses

  • CWE-77: Command Injection
  • CWE-74: Injection

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

References