📄 Description (English)
A vulnerability was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20260205. Impacted is the function cgi_addgroup_get_group_quota_minsize of the file /cgi-bin/account_mgr.cgi. The manipulation of the argument Name results in stack-based buffer overflow. The attack may be performed from remote. The exploit has been made public and could be used.
🤖 AI Executive Summary
A critical stack-based buffer overflow vulnerability exists in D-Link NAS devices (DNS and DNR series) affecting firmware versions up to 20260205. The vulnerability in the account_mgr.cgi script allows remote attackers to execute arbitrary code by manipulating the 'Name' parameter. With public exploits available and no patch currently released, this poses an immediate threat to organizations using these devices for network storage and backup.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Apr 23, 2026 16:04
🇸🇦 Saudi Arabia Impact Assessment
Saudi organizations across multiple critical sectors are at significant risk. Banking and financial institutions using D-Link NAS for transaction logs and backup data face potential data breach and system compromise. Government agencies and NCA infrastructure relying on these devices for secure document storage are vulnerable to unauthorized access and data exfiltration. Healthcare organizations (MOH facilities) using DNS devices for patient records could experience HIPAA-equivalent violations. Energy sector (ARAMCO and related entities) using these NAS devices for operational technology backups face production disruption risks. Telecommunications providers (STC, Mobily) and large enterprises using D-Link NAS for centralized storage are exposed to remote code execution attacks.
🏢 Affected Saudi Sectors
Banking and Financial Services
Government and Public Administration
Healthcare
Energy and Utilities
Telecommunications
Large Enterprises
Data Centers
Educational Institutions
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
9.2
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Inventory all D-Link DNS/DNR devices in your environment and document firmware versions
2. Isolate affected devices from internet-facing networks immediately
3. Restrict access to the /cgi-bin/account_mgr.cgi endpoint using firewall rules
4. Monitor for suspicious HTTP requests to account_mgr.cgi with unusual 'Name' parameter values
COMPENSATING CONTROLS (until patch available):
1. Implement network segmentation - place NAS devices on isolated VLAN with restricted access
2. Disable remote management interfaces if not required
3. Change default credentials and enforce strong authentication
4. Deploy Web Application Firewall (WAF) rules to block requests with buffer overflow patterns to account_mgr.cgi
5. Implement rate limiting on CGI endpoints
6. Enable detailed logging of all CGI requests for forensic analysis
DETECTION RULES:
1. Monitor HTTP POST/GET requests to /cgi-bin/account_mgr.cgi with 'Name' parameter exceeding 256 bytes
2. Alert on any requests containing null bytes or shellcode patterns in the Name parameter
3. Track failed authentication attempts followed by CGI access attempts
4. Monitor for unexpected process execution from httpd/lighttpd processes
5. Establish baseline for normal account_mgr.cgi usage and alert on deviations
PATCHING GUIDANCE:
1. Contact D-Link support for emergency firmware updates
2. Prepare isolated test environment to validate patches when available
3. Plan maintenance window for firmware updates on non-production systems first
4. Maintain backup of current configuration before any firmware updates
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. قم بحصر جميع أجهزة D-Link DNS/DNR في بيئتك وتوثيق إصدارات البرامج الثابتة
2. عزل الأجهزة المتأثرة عن الشبكات المتصلة بالإنترنت فوراً
3. تقييد الوصول إلى نقطة نهاية /cgi-bin/account_mgr.cgi باستخدام قواعد جدار الحماية
4. مراقبة طلبات HTTP المريبة إلى account_mgr.cgi بقيم معاملات 'Name' غير عادية
الضوابط البديلة (حتى توفر التصحيح):
1. تنفيذ تقسيم الشبكة - ضع أجهزة NAS على VLAN معزول مع وصول مقيد
2. تعطيل واجهات الإدارة البعيدة إذا لم تكن مطلوبة
3. تغيير بيانات الاعتماد الافتراضية وفرض مصادقة قوية
4. نشر قواعد جدار تطبيقات الويب (WAF) لحظر الطلبات التي تحتوي على أنماط تجاوز المخزن المؤقت إلى account_mgr.cgi
5. تنفيذ تحديد معدل على نقاط نهاية CGI
6. تفعيل تسجيل مفصل لجميع طلبات CGI للتحليل الجنائي
قواعد الكشف:
1. مراقبة طلبات HTTP POST/GET إلى /cgi-bin/account_mgr.cgi مع معامل 'Name' يتجاوز 256 بايت
2. تنبيه على أي طلبات تحتوي على بايتات فارغة أو أنماط shellcode في معامل Name
3. تتبع محاولات المصادقة الفاشلة متبوعة بمحاولات الوصول إلى CGI
4. مراقبة تنفيذ العمليات غير المتوقعة من عمليات httpd/lighttpd
5. إنشاء خط أساس للاستخدام الطبيعي لـ account_mgr.cgi والتنبيه على الانحرافات
إرشادات التصحيح:
1. اتصل بدعم D-Link للحصول على تحديثات البرامج الثابتة الطارئة
2. تحضير بيئة اختبار معزولة للتحقق من صحة التصحيحات عند توفرها
3. تخطيط نافذة صيانة لتحديثات البرامج الثابتة على الأنظمة غير الإنتاجية أولاً
4. الاحتفاظ بنسخة احتياطية من التكوين الحالي قبل أي تحديثات للبرامج الثابتة
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
A.5.1.1 - Information security policies and procedures
A.8.1.1 - User access management and authentication
A.12.2.1 - Change management procedures
A.12.4.1 - Event logging and monitoring
A.13.1.1 - Network security perimeter
🔵 SAMA CSF
ID.AM-2 - Asset management and inventory
PR.AC-1 - Access control and authentication
PR.PT-1 - Security awareness and training
DE.CM-1 - Detection and analysis
RS.RP-1 - Response planning
🟡 ISO 27001:2022
A.5.1.1 - Information security policies
A.8.1.4 - Access management
A.12.2.1 - Change management
A.12.4.1 - Event logging
A.13.1.1 - Network security
🟣 PCI DSS v4.0.1
Requirement 1.1 - Firewall configuration standards
Requirement 2.1 - Default security parameters
Requirement 6.2 - Security patches and updates
Requirement 10.2 - User access logging
Requirement 11.3 - Penetration testing
🔗 References & Sources 5
🔗
https://github.com/wudipjq/my_vuln/blob/main/D-Link8/vuln_169/169.md
cna@vuldb.com
Exploit
Third Party Advisory
🔗
https://vuldb.com/submit/780439
cna@vuldb.com
Third Party Advisory
VDB Entry
🔗
https://vuldb.com/vuln/354349
cna@vuldb.com
Third Party Advisory
VDB Entry
🔗
https://vuldb.com/vuln/354349/cti
cna@vuldb.com
Permissions Required
VDB Entry
🔗
https://www.dlink.com/
cna@vuldb.com
Product
📦 Affected Products / CPE 20 entries
dlink:dnr-202l_firmware
dlink:dnr-326_firmware
dlink:dns-1100-4_firmware
dlink:dns-120_firmware
dlink:dns-1200-05_firmware
dlink:dns-1550-04_firmware
dlink:dns-315l_firmware
dlink:dns-320_firmware
dlink:dns-320l_firmware
dlink:dns-320lw_firmware
dlink:dns-321_firmware
dlink:dns-322l_firmware
dlink:dns-323_firmware
dlink:dns-325_firmware
dlink:dns-326_firmware
dlink:dns-327l_firmware
dlink:dns-340l_firmware
dlink:dns-343_firmware
dlink:dns-345_firmware
dlink:dns-726-4_firmware