Analysis
Impact
A vulnerability was identified in the cgi_set_wto function within /cgi-bin/system_mgr.cgi on a range of D-Link routers. The flaw is an improper access control that allows an unauthenticated attacker to manipulate this CGI endpoint. By sending crafted requests the attacker can bypass normal authorization checks, potentially leading to remote execution of arbitrary commands or unauthorized configuration changes. The weakness is classified as CWE-266 (Improper Privilege Management) and CWE-284 (Improper Access Control).
Affected Systems
The affected models include D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05, and DNS-1550-04. All firmware versions up to and including 20260205 are vulnerable. Information about specific firmware revision numbers is not supplied, but protection should be applied to any device running these models with firmware dates prior to the release of the fix.
Risk and Exploitability
The CVSS base score for this issue is 6.9, placing it in the Medium severity range. The EPSS score is below 1% indicating a low current likelihood of exploitation, and the vulnerability is not listed in CISA’s KEV catalog. Nevertheless, the flaw is exploitable remotely via HTTP or HTTPS traffic to the web management interface, requiring only network access to the device. Because the attack does not require user interaction or local privileges, it is considered a high-risk exposure for network-connected routers. Operators should treat the vulnerability as significant until a patch is applied.
Mitre Data 
CPE Configurations 
Affected Packages
OpenCVE Enrichment 
Vulnrichment