CVE-2026-10878: D-Link DWR-M920 Command Injection Vulnerability – Patch Now
A command injection vulnerability has been discovered in D-Link DWR-M920 routers running firmware versions 1.1.50 and 1.1.70. An authenticated attacker can manipulate a parameter in the SMS management interface to inject and execute arbitrary system commands. This requires an existing login to the device but does not require user interaction once authenticated. Public exploits are now available, increasing the practical risk.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
- Weaknesses (CWE)
- CWE-74, CWE-77
- Affected products
- 3 configuration(s)
- Published / Modified
- 2026-06-05 / 2026-06-17
NVD description (verbatim)
A vulnerability was detected in D-Link DWR-M920 1.1.50/1.1.70. Affected is the function sub_41C8E8 of the file /boafrm/formSmsManage. Performing a manipulation of the argument action_value results in command injection. The attack is possible to be carried out remotely. The exploit is now public and may be used.
6 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-10878 involves improper input validation in the sub_41C8E8 function within the /boafrm/formSmsManage endpoint of affected D-Link DWR-M920 firmware. The vulnerability stems from unsafe handling of the 'action_value' parameter, which fails to properly sanitize user-supplied input before passing it to system command execution functions. This manifests as a CWE-74 (Improper Neutralization of Special Elements in Output) and CWE-77 (Improper Neutralization of Special Elements used in a Command) vulnerability. The attack vector is network-based and requires low privilege (authenticated user access) with no additional user interaction necessary.
Business impact
Compromised DWR-M920 devices can be leveraged as internal network footholds for lateral movement, data exfiltration, or deployment of persistent malware. For organizations relying on these routers for branch office or remote connectivity, command injection enables full device compromise, potentially allowing attackers to intercept, redirect, or monitor traffic. The availability of public exploits and medium CVSS score elevate remediation urgency despite the authentication requirement.
Affected systems
D-Link DWR-M920 routers with firmware version 1.1.50 or 1.1.70 are vulnerable. Verify your device firmware version via the device administration interface. Organizations should inventory all instances of this model and version to prioritize patching efforts. D-Link has not universally provided firmware updates for all regions or hardware variants, so verify patch availability for your specific deployment before assuming a fix is available.
Exploitability
Exploitation requires valid credentials to access the router's web interface, which typically limits attack surface to internal networks or users with administrative knowledge. However, given that many routers use default or weak credentials, this barrier is frequently circumvented. Public exploit code is now available, lowering the technical barrier for attackers without deep firmware analysis skills. The lack of user interaction required and straightforward parameter manipulation make this highly feasible for any attacker with network access and valid credentials.
Remediation
Update DWR-M920 firmware to a version newer than 1.1.70. Verify patch availability from D-Link's support portal or product documentation, as availability varies by region and hardware variant. Until patching is possible, enforce strict access controls to the router's web interface by restricting access to trusted IP addresses, disabling remote administration, and enforcing strong authentication credentials. Consider segmenting affected routers from sensitive network segments.
Patch guidance
Verify the latest firmware version available for the DWR-M920 through D-Link's official support website or product documentation. Download the firmware image appropriate for your hardware variant and region, as D-Link often releases region-specific builds. Follow D-Link's official firmware update procedure (typically accessible via the device's web interface under System Settings or Administration). Test the update on a non-critical device first if possible. After updating, verify the new firmware version is confirmed via the device interface. Document the update in your asset management system.
Detection guidance
Monitor web server logs on affected DWR-M920 devices for POST requests to /boafrm/formSmsManage with unusual or shell-like characters in the 'action_value' parameter (e.g., pipe symbols, semicolons, backticks, $(), command separators). Look for failed authentication attempts followed by successful logins from unexpected sources. Monitor system process logs on the router (if available) for unexpected child processes spawned from the web server process. Network detection rules should flag HTTP requests containing command injection payloads to this endpoint. Alert on any firmware downgrades or unauthorized configuration changes.
Why prioritize this
Although the CVSS score is medium (6.3), prioritize this vulnerability because: (1) public exploits significantly lower the bar for attackers, (2) the target is network-edge infrastructure often less closely monitored than internal servers, (3) compromised routers become persistent beachheads for internal network access, and (4) authentication requirements are frequently bypassed via default or weak credentials in production environments. Organizations using DWR-M920 should treat patching as urgent even before patch availability is confirmed, by implementing compensating controls.
Risk score, explained
The CVSS 3.1 score of 6.3 (MEDIUM) reflects the authentication requirement (PR:L) which reduces severity, but accounts for low attack complexity and network accessibility. However, this score does not fully capture organizational risk factors: the public availability of working exploits and the strategic value of router compromise elevate practical risk significantly. Organizations should apply additional context around their reliance on these devices and the sensitivity of networks they serve.
Frequently asked questions
Do I need valid admin credentials to exploit this vulnerability?
Yes, the vulnerability requires authenticated access to the router's web interface. However, many D-Link routers are deployed with default credentials (admin/admin) or weak passwords that are easily guessed or obtained through OSINT. Additionally, if an attacker is already inside your network, gaining router access is often simpler than securing internet-facing systems. Assume this requirement can be bypassed in many real-world scenarios.
What is the practical impact if my DWR-M920 is exploited?
An attacker gains full command execution capability on the router with the same privilege level as the web server process, typically high or root. This allows them to: intercept and redirect network traffic, install persistent backdoors, pivot to other network segments, exfiltrate data passing through the router, and potentially attack other devices on your network. The router becomes a fully compromised network node under attacker control.
Is there a workaround if I cannot patch immediately?
Complete workarounds are limited, but mitigations include: disable remote administration and restrict web interface access to trusted internal IPs only; enforce strong, unique credentials; monitor router logs for suspicious activity; segment the router's network to limit lateral movement potential; consider replacing the device with a patched alternative if available. These reduce but do not eliminate risk—patching remains the primary solution.
How do I check my DWR-M920 firmware version?
Log into the router's web interface (typically 192.168.0.1), navigate to System Settings or Administration, and locate the firmware version display. Compare against the affected versions (1.1.50 and 1.1.70). If you are unsure how to access your router or need help identifying the correct firmware version for your hardware variant, consult D-Link's product documentation or contact their support team.
This analysis is based on publicly available vulnerability data as of the publication date. Vendor advisories, patch availability, and exploit details may change. Organizations should verify all patch version numbers and availability directly with D-Link before deployment. This document does not constitute legal advice or a substitute for professional security assessment. Use of any information herein is at the reader's own risk. Always test patches in a non-production environment before deployment. Source: NVD (public-domain), retrieved 2026-07-13. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10060MEDIUMTRENDnet TEW-432BRP Command Injection—End-of-Life Router Vulnerability
- CVE-2026-10061MEDIUMTRENDnet TEW-432BRP Command Injection Vulnerability – Remediation via Replacement
- CVE-2026-10127MEDIUMEdimax BR-6478AC Command Injection in Firmware 1.23
- CVE-2026-10166MEDIUMEdimax BR-6478AC Command Injection – Authentication Required
- CVE-2026-10180MEDIUMTRENDnet TEW-432BRP Command Injection Vulnerability – Hardware Retirement Required
- CVE-2026-10182MEDIUMTRENDnet TEW-432BRP Command Injection – Unpatched EOL Device
- CVE-2026-10550MEDIUMCommand Injection in elunez eladmin Deployment Module
- CVE-2026-10155MEDIUMSQL Injection in Bdtask Multi-Store Inventory Management System 1.0