MEDIUM 6.3

CVE-2026-11341: D-Link DWR-M920 Command Injection Vulnerability – Patch & Detection Guide

D-Link DWR-M920 routers up to firmware version 1.1.50 contain a command injection vulnerability in the IMEI setup form handler. An authenticated attacker can manipulate the IMEI_value parameter to execute arbitrary operating system commands on the affected device. The vulnerability requires valid login credentials but allows remote exploitation without user interaction once authenticated. Public exploit code has been released.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Weaknesses (CWE)
CWE-77, CWE-78
Affected products
0 configuration(s)
Published / Modified
2026-06-05 / 2026-06-17

NVD description (verbatim)

A flaw has been found in D-Link DWR-M920 up to 1.1.50. The impacted element is the function sub_412DA0 of the file /boafrm/formIMEISetup. This manipulation of the argument IMEI_value causes os command injection. The attack can be initiated remotely. The exploit has been published and may be used.

6 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-11341 is a command injection flaw residing in the sub_412DA0 function within the /boafrm/formIMEISetup endpoint of D-Link DWR-M920 devices. The vulnerability stems from insufficient input validation on the IMEI_value parameter, allowing attackers to inject OS-level commands that are executed with device privileges. The attack vector is network-based and does not require special configuration; however, it does require prior authentication (CWE-77, CWE-78). The CVSS v3.1 base score of 6.3 reflects the low attack complexity and low privilege requirement needed to trigger the flaw.

Business impact

An authenticated attacker exploiting this vulnerability could compromise the integrity and availability of affected D-Link routers. Potential impacts include unauthorized configuration changes, interception of network traffic routed through the device, deployment of persistent malware, or complete device takeover. For organizations relying on these routers for branch office or remote access connectivity, compromise could lead to network-wide lateral movement, data exfiltration, or denial of service. The fact that public exploits are available increases the likelihood of opportunistic attacks targeting exposed or poorly secured management interfaces.

Affected systems

D-Link DWR-M920 routers running firmware version 1.1.50 and earlier are confirmed vulnerable. The vulnerability impacts the router's web-based management interface. No information was provided regarding later firmware versions or other D-Link product lines, so verification against D-Link's official advisory is essential to confirm the full scope of affected hardware and whether patches are available.

Exploitability

Exploitability is moderate-to-high. The attack requires authentication, which significantly limits casual exploitation; however, many routers use default or weak credentials that are commonly known or can be brute-forced. The attack vector is entirely remote (network-based) with no user interaction required post-authentication. The fact that working exploit code has been published in the wild means skilled attackers can readily weaponize this flaw. Organizations with poorly maintained router credentials or internet-exposed management interfaces face elevated risk.

Remediation

The primary remediation is to apply a firmware update from D-Link that patches the command injection flaw. Verify the availability of patches via D-Link's official security advisory or support portal. Until patches are deployed, restrict administrative access to D-Link DWR-M920 routers through network-level controls: disable remote management if not required, implement firewall rules limiting management interface access to trusted IP ranges, and enforce strong, unique passwords on all router accounts.

Patch guidance

Consult D-Link's official security advisory for CVE-2026-11341 to identify the minimum firmware version that resolves this issue. Firmware updates should be applied to all affected DWR-M920 devices in a controlled manner, with backup configurations taken beforehand. Test updates in a non-production environment if possible before rolling out to operational devices. If patches are not yet available, apply compensating controls (see remediation summary) immediately.

Detection guidance

Monitor router logs for suspicious activity in the /boafrm/formIMEISetup endpoint, particularly requests containing special characters, shell metacharacters, or command-like syntax in the IMEI_value parameter. Detect brute-force attempts against router authentication portals. If network visibility is available, flag HTTP POST requests to the vulnerable endpoint originating from unexpected sources. Additionally, monitor for unexpected process execution on affected routers or configuration changes that were not authorized. Organizations may also search for the web-based management interface on internet-facing assets using network scanning to identify exposed instances that require immediate hardening.

Why prioritize this

Although the CVSS score is MEDIUM (6.3), the combination of public exploit availability, network-accessible attack vector, and potential for full device compromise warrants prompt attention. The requirement for authentication significantly reduces risk in well-managed environments but is a minor barrier in deployments with weak credential practices. Organizations should prioritize patching or hardening internet-facing DWR-M920 instances and any units with default or weak passwords.

Risk score, explained

The CVSS v3.1 score of 6.3 (MEDIUM) reflects: remote network accessibility (AV:N), low attack complexity (AC:L), requirement for low privilege via authentication (PR:L), no special user interaction needed (UI:N), and impact limited to confidentiality, integrity, and availability of the router itself (C:L, I:L, A:L). The score does not account for downstream network compromise risk or the availability of public exploit code. Organizations should layer this base score with contextual factors such as internet exposure, credential hygiene, and the criticality of the router in their infrastructure to determine local risk.

Frequently asked questions

Does this vulnerability affect other D-Link router models?

The advisory specifically names the DWR-M920 up to version 1.1.50. Other D-Link router models may or may not be vulnerable. Check D-Link's official security advisory to confirm which products are in scope, and test your specific models in a lab environment if you operate multiple D-Link devices.

What if I cannot apply a patch immediately?

Implement compensating controls: disable remote management access if it is not essential, restrict administrative access via firewall rules to trusted internal IP ranges only, enforce strong unique passwords, and monitor for suspicious activity on the /boafrm/formIMEISetup endpoint. These measures significantly reduce risk while you prepare and test patches.

How can I verify if my D-Link router has been compromised?

Review router logs for unexpected process execution, configuration changes you did not authorize, or suspicious POST requests to the vulnerable endpoint. Check running processes and cron jobs for unauthorized entries. If you suspect compromise, isolate the device, perform a factory reset after backing up the configuration, and restore from a known-good backup if available. Contact D-Link support if you need forensic assistance.

Is authentication a significant barrier to exploitation?

Authentication reduces but does not eliminate risk. Many routers use default credentials (admin/admin) or weak passwords that attackers can guess or brute-force. If your router is internet-exposed or on a network with compromised user accounts, the authentication requirement becomes a minor obstacle. Always use strong, unique administrative credentials.

This analysis is provided for informational and defensive purposes. The information herein is based on publicly disclosed vulnerability data as of the publication date and may not reflect all future updates or patches. Always verify patch availability and compatibility with your specific hardware and firmware version through D-Link's official channels. SEC.co does not endorse or provide exploit code. Organizations are responsible for assessing their own risk and implementing appropriate mitigations. This document should not be construed as legal, compliance, or vendor-specific support advice. Source: NVD (public-domain), retrieved 2026-07-14. Analysis generated by SEC.co (claude-haiku-4-5).