Impact
The vulnerability allows an attacker to inject arbitrary shell commands into the remote_backup.cgi servlet when the cgi_set_rsync_server function processes input. This command injection can be triggered via a specially crafted HTTP request, causing the web server process to execute the supplied command with its privileges. The flaw is identified as a combination of CWE-74 and CWE-77, enabling remote code execution on the affected router.
Affected Systems
Affected models are D‑Link DNS‑120, D‑Link DNR‑202L, D‑Link DNS‑315L, D‑Link DNS‑320, D‑Link DNS‑320L, D‑Link DNS‑320LW, D‑Link DNS‑321, D‑Link DNR‑322L, D‑Link DNS‑323, D‑Link DNS‑325, D‑Link DNS‑326, D‑Link DNS‑327L, D‑Link DNR‑326, D‑Link DNS‑340L, D‑Link DNS‑343, D‑Link DNS‑345, D‑Link DNS‑726‑4, D‑Link DNS‑1100‑4, D‑Link DNS‑1200‑05, and D‑Link DNS‑1550‑04, for all firmware versions dated up to 20260205. Users should verify the model and firmware build and check if it falls within this range.
Risk and Exploitability
The CVSS score of 5.3 indicates moderate severity, while the EPSS score of 4% suggests a modest probability of exploitation. The vulnerability is not listed in CISA’s KEV catalog. Attack is possible from any remote network location that can reach the device’s /cgi-bin/remote_backup.cgi endpoint, with no local privileges necessary for exploitation.
OpenCVE Enrichment