Impact
The vulnerability allows an attacker to execute arbitrary shell commands by manipulating the cgi_ntp_time function within the /cgi-bin/system_mgr.cgi script on affected D‑Link devices. This flaw results from improper input validation (CWE‑74) and the absence of appropriate command delimiters (CWE‑77). Successful exploitation gives the attacker full control over the router, enabling compromise of network confidentiality, integrity, and availability.
Affected Systems
A range of D‑Link routers is impacted, including the DNR‑202L, DNR‑326, DNR‑322L, DNS‑1100‑4, DNS‑120, DNS‑1200‑05, DNS‑1550‑04, DNS‑315L, DNS‑320, DNS‑320L, DNS‑320LW, DNS‑321, DNS‑323, DNS‑325, DNS‑326, DNS‑327L, DNS‑340L, DNS‑343, DNS‑345, DNS‑726‑4 and the DNS‑1200‑05. Any firmware released on or before build 20260205 may contain the flaw.
Risk and Exploitability
The CVSS base score of 5.3 indicates medium severity, and the EPSS score of 4% shows a moderate likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that a remote attacker could exploit this weakness without authentication, although the CVE text does not explicitly confirm credential requirements. Publicly available exploit code means unpatched devices are likely vulnerable.
OpenCVE Enrichment