MEDIUM 6.3

CVE-2026-11339: D-Link DWR-M920 Command Injection Vulnerability (CVSS 6.3)

A command injection vulnerability exists in D-Link DWR-M920 routers up to firmware version 1.1.50. An authenticated attacker can inject arbitrary commands through the USSD Setup function, potentially gaining remote code execution on the device. The vulnerability requires valid login credentials but does not need user interaction to exploit. Public exploit code is now available.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Weaknesses (CWE)
CWE-74, CWE-77
Affected products
2 configuration(s)
Published / Modified
2026-06-05 / 2026-06-17

NVD description (verbatim)

A vulnerability was detected in D-Link DWR-M920 up to 1.1.50. The affected element is the function sub_41CF20 of the file /boafrm/formUSSDSetup. The manipulation of the argument ussdValue results in command injection. It is possible to launch the attack remotely. The exploit is now public and may be used.

6 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-11339 is a command injection flaw in the DWR-M920's /boafrm/formUSSDSetup endpoint, specifically within the sub_41CF20 function. The ussdValue parameter fails to properly sanitize or validate user input before passing it to a system command execution context. This allows authenticated attackers to break out of the intended command syntax and inject arbitrary shell commands. The vulnerability maps to CWE-74 (Improper Neutralization of Special Elements in Output) and CWE-77 (Improper Neutralization of Special Elements used in a Command), indicating both input validation and command injection weaknesses.

Business impact

Compromise of DWR-M920 routers can result in network infrastructure takeover, man-in-the-middle attacks on internal traffic, lateral movement into connected networks, and loss of confidentiality and integrity for all devices behind the router. Given that this device is often deployed in small business and SOHO environments, attackers could use compromised routers as persistent backdoors or staging points for broader network intrusions. The existence of public exploits significantly increases the likelihood of opportunistic attacks.

Affected systems

D-Link DWR-M920 routers running firmware version 1.1.50 and earlier are affected. Verify your device firmware version in the administrative interface (typically accessible at 192.168.0.1). All deployments of this model and firmware revision should be considered at risk if exposed to authenticated users.

Exploitability

Exploitability is moderate to high. The attack requires authentication (PR:L in CVSS), which limits attack surface to users with valid credentials or those who can obtain them through phishing or credential compromise. However, no user interaction is needed once authenticated, and network accessibility is not restricted (AV:N). The public availability of exploit code substantially increases the practical risk of exploitation by threat actors across varying skill levels.

Remediation

Immediately upgrade the DWR-M920 firmware to the latest available version beyond 1.1.50, as provided by D-Link. If a patched firmware version is not yet available, isolate affected devices to restricted network segments, disable remote access to the administrative interface, and enforce strong authentication controls. Consider replacing the device with a newer model if patches remain unavailable after a reasonable period.

Patch guidance

Check D-Link's official support portal for the DWR-M920 to identify available firmware updates. Download the latest firmware directly from D-Link (not third-party sources) and follow their documented upgrade procedure, which typically involves accessing the router's web interface and uploading the firmware file. Verify the firmware version post-upgrade to confirm the patch has been applied. If no patch beyond 1.1.50 is available from D-Link, escalate the matter to vendor support and request a timeline for remediation.

Detection guidance

Monitor network logs for POST requests to /boafrm/formUSSDSetup with unusual or malformed ussdValue parameters containing shell metacharacters (backticks, pipes, semicolons, $(), &&, ||). Examine router access logs for authentication attempts from unexpected sources. Deploy network-based detection for command injection payloads targeting the DWR-M920. If your SIEM or WAF supports it, create alerts for encoded or obfuscated command sequences in USSD-related parameters.

Why prioritize this

Although the CVSS score of 6.3 is rated MEDIUM, the combination of network accessibility, public exploit availability, and the device's role as a network perimeter device warrants prioritization above the base score suggests. Routers are high-value targets for persistent compromise. The authentication requirement does mitigate risk somewhat, but credential compromise is common. Organizations with DWR-M920 deployments should treat this as HIGH priority for patch evaluation and remediation planning.

Risk score, explained

CVSS 6.3 reflects a network-accessible vulnerability requiring authentication, with impacts on confidentiality, integrity, and availability (CIA:L). The score appropriately captures the technical severity but does not account for the device's critical role in network security or the availability of public exploits. In practice, organizations should apply additional risk weighting based on device exposure, network segmentation, and credential hygiene.

Frequently asked questions

Do I need administrator access to exploit this vulnerability?

Yes. The vulnerability requires valid authentication to the DWR-M920 administrative interface. However, this does not mean the risk is negligible — compromised credentials via phishing, weak passwords, or prior breaches are common. Verify your router uses a strong, unique admin password.

Can this vulnerability be exploited without network access to the router?

No, but network access is broadly available for most deployments. If your DWR-M920 is exposed to the internet or to untrusted network segments, the attack surface is significantly larger. Restrict administrative access to trusted IP ranges and disable remote management if not required.

What should I do if I cannot patch the router immediately?

Implement compensating controls: disable access to the /boafrm/formUSSDSetup endpoint at your firewall or WAF if possible, enforce network segmentation to limit who can reach the router's admin interface, rotate admin credentials, and monitor for exploitation attempts. Plan for a firmware upgrade within 30 days.

Is this vulnerability actively being exploited in the wild?

Public exploit code exists, which increases the risk of opportunistic attacks. While we cannot confirm active exploitation at this moment, you should assume threat actors are testing for vulnerable instances. Treat this as a near-term remediation priority.

This analysis is provided for informational purposes only and does not constitute legal, technical, or professional advice. Verify all vulnerability details, patch availability, and applicability to your environment against official D-Link advisories and your own systems inventory. Testing of patches in a non-production environment is strongly recommended before deployment. Organizations should conduct independent risk assessments based on their specific network topology, asset management, and threat model. SEC.co makes no warranty regarding the accuracy of third-party vulnerability data or the effectiveness of recommended mitigations. Source: NVD (public-domain), retrieved 2026-07-14. Analysis generated by SEC.co (claude-haiku-4-5).