Primary

Context

D-Link DNS-320 OS Command Injection Vulnerability in network_mgr.cgi

Vulnerability

An OS command injection vulnerability has been identified in the D-Link DNS-320 ShareCenter NAS, specifically in the firmware version 2.06B01 HOTFIX. The vulnerability resides in the network_mgr.cgi file, within eight functions that handle HTTP parameters. These parameters are read and then passed unsanitized to the system command via sprintf, allowing for remote command execution.

Impact

Exploitation of this vulnerability allows for arbitrary OS command execution on the device.

Reproduction

The vulnerability can be reproduced by sending a POST request to the /cgi-bin/network_mgr.cgi endpoint. Include a valid session cookie and specify the command injection payload in the HTTP parameters. The injected command will be executed on the server.

Added: May 11, 2026, 5:21 AM

Updated: May 11, 2026, 5:21 AM

Vulnerability Rating

Custom Algorithm

spread

4.5

impact

7.5

exploitability

4.8

remediation

0.0

relevance

8.0

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

4.5

impact

7.5

exploitability

4.8

remediation

0.0

relevance

8.0

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

D-Link DNS-320 OS Command Injection Vulnerability in network_mgr.cgi

Vulnerability

Impact

Reproduction

Affected Products

D-Link DNS-320

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating