Vulnerabilities ›

CVE-2026-5213

High ⚡ Exploit Available

CWE-119 — Weakness Type

                    Published: Mar 31, 2026                      ·  Modified: Apr 7, 2026                      ·  Source: NVD                

CVSS v3

8.8

🔗 NVD Official

📄 Description (English)

A vulnerability was determined in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20260205. The affected element is the function cgi_adduser_to_session of the file /cgi-bin/account_mgr.cgi. This manipulation of the argument read_list causes stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized.

🤖 AI Executive Summary

A critical stack-based buffer overflow vulnerability exists in D-Link NAS devices (DNS and DNR series) affecting firmware versions up to 20260205. The vulnerability in the account_mgr.cgi file allows unauthenticated remote code execution through the read_list parameter. With public exploit availability and no patch currently available, this poses an immediate threat to organizations using these devices for data storage and backup.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: Apr 23, 2026 16:04

🇸🇦 Saudi Arabia Impact Assessment

Saudi organizations across multiple critical sectors are at significant risk: Banking sector (SAMA-regulated institutions using D-Link NAS for transaction logs and backup), Government agencies (NCA, CITC infrastructure), Healthcare providers (SEHA facilities storing patient records), Energy sector (ARAMCO and downstream companies), and Telecommunications (STC, Mobily infrastructure). The vulnerability enables complete device compromise, data exfiltration, lateral network movement, and potential supply chain attacks through compromised backup systems.

🏢 Affected Saudi Sectors

Banking and Financial Services Government and Public Administration Healthcare Energy and Utilities Telecommunications Critical Infrastructure Data Centers and Cloud Services

🎯 MITRE ATT&CK Techniques

T1190 - Exploit Public-Facing Application T1068 - Exploitation for Privilege Escalation T1543 - Create or Modify System Process T1059 - Command and Scripting Interpreter T1005 - Data from Local System T1041 - Exfiltration Over C2 Channel T1570 - Lateral Tool Transfer

⚖️ Saudi Risk Score (AI)

9.2

/ 10.0

🔧 Remediation Steps (English)

IMMEDIATE ACTIONS:

1. Inventory all D-Link DNS/DNR devices in your environment and document firmware versions

2. Isolate affected devices from production networks or restrict access to trusted networks only

3. Disable remote access to the web management interface (port 80/443) if not critical

4. Implement network segmentation to limit lateral movement from compromised NAS devices

5. Monitor for suspicious access patterns to /cgi-bin/account_mgr.cgi

COMPENSATING CONTROLS:

1. Deploy WAF rules to block requests containing 'read_list' parameter with suspicious payloads

2. Implement strict firewall rules allowing only authorized IPs to access management interfaces

3. Enable authentication logging and monitor for failed/successful login attempts

4. Deploy IDS/IPS signatures detecting buffer overflow attempts to account_mgr.cgi

5. Implement network-based access controls restricting CGI script access

DETECTION RULES:

1. Monitor HTTP POST requests to /cgi-bin/account_mgr.cgi with oversized read_list parameters (>1024 bytes)

2. Alert on any unauthenticated access attempts to account_mgr.cgi

3. Track process execution from httpd/web service processes

4. Monitor for unexpected child processes spawned from D-Link device web services

5. Log all firmware update attempts and configuration changes

PATCHING GUIDANCE:

1. Contact D-Link support immediately for firmware updates

2. Prepare isolated test environment to validate patches when available

3. Establish maintenance window for device updates

4. Consider replacement with patched models if updates are not forthcoming

🔧 خطوات المعالجة (العربية)

الإجراءات الفورية:

1. قم بحصر جميع أجهزة D-Link DNS/DNR في بيئتك وتوثيق إصدارات البرامج الثابتة

2. عزل الأجهزة المتأثرة عن شبكات الإنتاج أو تقييد الوصول للشبكات الموثوقة فقط

3. تعطيل الوصول البعيد إلى واجهة الإدارة على الويب (المنفذ 80/443) إذا لم يكن حرجاً

4. تنفيذ تقسيم الشبكة لتحديد الحركة الجانبية من أجهزة NAS المخترقة

5. مراقبة أنماط الوصول المريبة إلى /cgi-bin/account_mgr.cgi

الضوابط التعويضية:

1. نشر قواعد WAF لحجب الطلبات التي تحتوي على معامل read_list برموز مريبة

2. تنفيذ قواعد جدار الحماية الصارمة للسماح فقط بعناوين IP المصرح بها للوصول إلى واجهات الإدارة

3. تفعيل تسجيل المصادقة ومراقبة محاولات تسجيل الدخول الفاشلة والناجحة

4. نشر توقيعات IDS/IPS للكشف عن محاولات تجاوز المخزن المؤقت إلى account_mgr.cgi

5. تنفيذ ضوابط الوصول المستندة إلى الشبكة لتقييد الوصول إلى نصوص CGI

قواعد الكشف:

1. مراقبة طلبات HTTP POST إلى /cgi-bin/account_mgr.cgi مع معاملات read_list كبيرة الحجم (>1024 بايت)

2. تنبيه على أي محاولات وصول غير مصرح بها إلى account_mgr.cgi

3. تتبع تنفيذ العمليات من عمليات httpd/خدمة الويب

4. مراقبة العمليات الفرعية غير المتوقعة المنبثقة من خدمات الويب لجهاز D-Link

5. تسجيل جميع محاولات تحديث البرامج الثابتة والتغييرات في الإعدادات

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

ECC 2024 A.12.6.1 - Management of technical vulnerabilities ECC 2024 A.14.2.1 - Secure development policy ECC 2024 A.12.2.1 - Monitoring and logging ECC 2024 A.13.1.3 - Segregation of networks

🔵 SAMA CSF

ID.RA-1 - Asset management and vulnerability identification PR.DS-6 - Data protection and integrity DE.CM-1 - Detection and monitoring RS.RP-1 - Response planning

🟡 ISO 27001:2022

A.12.6.1 - Management of technical vulnerabilities A.14.2.1 - Secure development policy A.12.2.1 - Monitoring and logging A.13.1.3 - Segregation of networks A.12.3.1 - Installation of software on operational systems

🟣 PCI DSS v4.0.1

Requirement 6.2 - Security patches and updates Requirement 11.2 - Vulnerability scanning Requirement 12.2 - Configuration standards

🔗 References & Sources 5

🔗

https://github.com/wudipjq/my_vuln/blob/main/D-Link8/vuln_168/168.md

cna@vuldb.com

Exploit Third Party Advisory

🔗

https://vuldb.com/submit/780437

cna@vuldb.com

Third Party Advisory VDB Entry

🔗

https://vuldb.com/vuln/354350

cna@vuldb.com

Third Party Advisory VDB Entry

🔗

https://vuldb.com/vuln/354350/cti

cna@vuldb.com

Permissions Required VDB Entry

🔗

https://www.dlink.com/

cna@vuldb.com

Product

📦 Affected Products / CPE 20 entries

dlink:dnr-202l_firmware

dlink:dnr-326_firmware

dlink:dns-1100-4_firmware

dlink:dns-120_firmware

dlink:dns-1200-05_firmware

dlink:dns-1550-04_firmware

dlink:dns-315l_firmware

dlink:dns-320_firmware

dlink:dns-320l_firmware

dlink:dns-320lw_firmware

dlink:dns-321_firmware

dlink:dns-322l_firmware

dlink:dns-323_firmware

dlink:dns-325_firmware

dlink:dns-326_firmware

dlink:dns-327l_firmware

dlink:dns-340l_firmware

dlink:dns-343_firmware

dlink:dns-345_firmware

dlink:dns-726-4_firmware

📊 CVSS Score

8.8

/ 10.0 — High

📊 CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack VectorN — None / Network

Attack ComplexityL — Low / Local

Privileges RequiredL — Low / Local

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityH — High

IntegrityH — High

AvailabilityH — High

📋 Quick Facts

Severity High

CVSS Score8.8

CWECWE-119

EPSS0.03%

Exploit ✓ Yes

Patch ✗ No

Published 2026-03-31

Source Feed nvd

🇸🇦 Saudi Risk Score

9.2

/ 10.0 — Saudi Risk

Priority: CRITICAL

🏷️ Tags

exploit-available CWE-119

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

💬 Comments

Loading comments

CVE-2026-5213

💬 Comments

Introduce Yourself

Sign In Required