Impact
This vulnerability is a command injection flaw in the FTP_Server_BlockIP_Del functionality of the app_mgr.cgi CGI script on D-Link DNS routers. The flaw allows a remote attacker to inject arbitrary commands via crafted HTTP requests, potentially resulting in full remote command execution on the device. The description does not explicitly state whether authentication is required; this absence is inferred to mean the flaw can be exploited without credentials. The weakness is embodied by CWE-74 (Improper Neutralization of Special Elements used in a Command) and CWE-77 (Improper Validation of Constant Parameters).
Affected Systems
Affected devices include a wide range of D-Link routers: D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05, and DNS-1550-04, versioning up to firmware 20260205.
Risk and Exploitability
The CVSS v3 score is 5.3, indicating moderate potential impact. The EPSS score is 3.5%, reflecting a somewhat higher likelihood of exploitation than previously thought. The vulnerability is not listed in the CISA KEV catalog. The attack vector is remote, exploiting the app_mgr.cgi over HTTP and requiring network connectivity to the device's administrative interface. The description does not explicitly mention authentication requirements; it is inferred that the flaw might be exploitable without credentials, which could elevate risk for exposed devices.
OpenCVE Enrichment