Impact
A vulnerability was discovered in the download manager of multiple D-Link DNS and DNR devices, specifically in the RSS_Item_List function of /cgi-bin/download_mgr.cgi. The flaw permits an attacker to inject arbitrary operating‑system commands via crafted input, which can be executed remotely. This leads to a loss of confidentiality, integrity, and availability of the affected device and the network it serves, corresponding to the CWE‑77 "Command Injection" weakness (also CWE‑74 is listed as an associated weakness).
Affected Systems
Affected products include all D-Link devices listed in the CNA data: D-Link:DNR-202L, D-Link:DNR-322L, D-Link:DNR-326, D-Link:DNS-1100-4, D-Link:DNS-120, D-Link:DNS-1200-05, D-Link:DNS-1550-04, D-Link:DNS-315L, D-Link:DNS-320, D-Link:DNS-320L, D-Link:DNS-320LW, D-Link:DNS-321, D-Link:DNS-323, D-Link:DNS-325, D-Link:DNS-326, D-Link:DNS-327L, D-Link:DNS-340L, D-Link:DNS-343, D-Link:DNS-345, D-Link:DNS-726-4. Firmware versions up to 20260205 contain the flaw; all later releases are assumed to be patched.
Risk and Exploitability
The CVSS v3.1 score of 5.3 indicates moderate severity. The EPSS probability is 17%, indicating a moderate likelihood of exploitation at this time. The description states that the exploit can be performed from remote, but does not detail whether authentication is required or if unauthenticated requests are sufficient. No specific exploitation conditions beyond reaching the /cgi-bin/download_mgr.cgi endpoint are noted in the description, and the issue is not currently listed in the CISA KEV catalog. In practice, an attacker would need to send a crafted request to the RSS_Item_List endpoint of the vulnerable device to trigger command execution.
OpenCVE Enrichment