CVE-2026-4210 is a remote command injection vulnerability discovered in a broad range of D-Link NAS devices, including DNS-120, DNS-315L, DNS-320 series, DNS-323, DNS-325, DNS-326, DNS-327L, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05, and DNS-1550-04, specifically affecting firmware versions up to 20260205. The flaw exists in the cgi_tm_set_share function within the /cgi-bin/time_machine.cgi endpoint, where the 'Name' argument is not properly sanitized, allowing an attacker to inject arbitrary OS commands. This vulnerability can be exploited remotely without authentication or user interaction, making it accessible to unauthenticated attackers over the network. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:L, indicating low privileges but some level of access), no user interaction (UI:N), and low impact on confidentiality, integrity, and availability (VC:L, VI:L, VA:L). The exploit code has been publicly released, increasing the likelihood of exploitation, although no active exploitation has been reported yet. The vulnerability affects the underlying operating system of the NAS devices, potentially allowing attackers to execute arbitrary commands, leading to unauthorized access, data leakage, or disruption of services. The absence of available patches or official vendor advisories at this time increases the urgency for organizations to implement mitigations and monitor for suspicious activity.

The vulnerability allows remote attackers to execute arbitrary commands on affected D-Link NAS devices without authentication, posing a significant risk to confidentiality, integrity, and availability. Successful exploitation could lead to unauthorized data access or exfiltration, modification or deletion of stored data, and disruption of NAS services critical for business operations. Given the NAS devices' role in centralized storage and backup, compromise could impact multiple users or systems relying on these devices. The public availability of exploit code increases the risk of widespread attacks, especially targeting organizations that have not applied mitigations. While the CVSS score rates the severity as medium, the real-world impact could be higher depending on the sensitivity of the data stored and the network environment. Organizations using these devices in enterprise or critical infrastructure environments face elevated risks of data breaches, ransomware deployment, or persistent unauthorized access.

1. Immediately isolate affected D-Link NAS devices from untrusted networks to prevent remote exploitation. 2. Monitor network traffic and device logs for unusual or unauthorized access attempts targeting /cgi-bin/time_machine.cgi or suspicious command execution patterns. 3. Implement network-level access controls such as firewall rules to restrict access to NAS management interfaces to trusted IP addresses only. 4. Disable or restrict the use of the vulnerable CGI endpoint if possible, or disable remote management features until a vendor patch is available. 5. Regularly check for vendor advisories and apply firmware updates or patches as soon as they are released. 6. Employ intrusion detection/prevention systems (IDS/IPS) with signatures for known exploit attempts targeting this vulnerability. 7. Conduct thorough audits of NAS device configurations and user permissions to minimize exposure. 8. Consider network segmentation to limit the impact of a compromised NAS device. 9. Educate IT staff about this vulnerability and ensure incident response plans include procedures for NAS device compromise. 10. If feasible, replace affected devices with models not impacted by this vulnerability or from vendors with timely security support.