Impact
The vulnerability is a command injection flaw in the gui_mgr.cgi script, specifically in the cgi_mycloud_auto_downlaod endpoint. By manipulating the f_user argument, an attacker can inject arbitrary shell commands. The flaw is classified as CWE‑74 (Improper Neutralization of Special Elements used in an OS Command) and CWE‑77 (Improper Command Injection). Remote exploitation is possible, allowing an attacker to execute commands with the privileges of the web service, potentially leading to full system compromise.
Affected Systems
Affected devices include a broad range of D‑Link routers and firewalls: DNS‑1100‑4, DNS‑120, DNS‑1200‑05, DNS‑1550‑04, DNS‑315L, DNS‑320, DNS‑320L, DNS‑320LW, DNS‑321, DNS‑323, DNS‑325, DNS‑326, DNS‑327L, DNS‑340L, DNS‑343, DNS‑345, DNS‑726‑4, DNR‑202L, DNR‑322L, and DNR‑326. All firmware releases up to 20260205 contain the vulnerable cgi_myfavorite_* and cgi_mycloud_auto_downlaod functions in /cgi-bin/gui_mgr.cgi.
Risk and Exploitability
The CVSS score is 5.3, indicating moderate severity, and the EPSS score is 3%, indicating a modest likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. The flaw allows remote command execution, which could lead to full system compromise if an attacker can exploit the vulnerable CGI script.
OpenCVE Enrichment