CVE-2026-1596
Remote Command Injection in D-Link DWR-M961 LTE Upgrade Function
Publication date: 2026-01-29
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dlink | dwr-m961_firmware | 1.1.47 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-1596 is a command injection vulnerability in the D-Link DWR-M961 4G LTE router firmware version 1.1.47. It exists in the function sub_419920 within the /boafrm/formLtefotaUpgradeQuectel endpoint. The vulnerability arises because the router processes the user-supplied parameter 'fota_url' by only partially validating it to check for protocol prefixes like 'http://', 'https://', or 'ftp://', but does not properly sanitize the input. This unsanitized input is then used in a shell command via sprintf and passed directly to the system() function, allowing an authenticated attacker to execute arbitrary system commands with root privileges remotely. [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can severely impact you by allowing an authenticated remote attacker to execute arbitrary commands on the affected router with root privileges. This compromises the confidentiality, integrity, and availability of the device, potentially leading to unauthorized access, control over the router, disruption of network services, and further exploitation within the network. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for suspicious POST requests to the endpoint `/boafrm/formLtefotaUpgradeQuectel` that include the `fota_url` parameter containing protocol prefixes such as "http://", "https://", or "ftp://" followed by unusual or shell metacharacters indicating command injection attempts. Detection can also involve emulating the firmware and using proof-of-concept scripts to test for command injection. For network detection, commands like `tcpdump` or `Wireshark` can be used to capture HTTP POST requests to the vulnerable endpoint. For example, a command to capture such traffic might be: `tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep '/boafrm/formLtefotaUpgradeQuectel'`. Additionally, using tools like `curl` or custom scripts to send crafted requests to the endpoint and observe responses can help verify vulnerability presence. [3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the vulnerable endpoint `/boafrm/formLtefotaUpgradeQuectel` by limiting network exposure, such as applying firewall rules to block unauthorized access to the router's management interface. Since no known countermeasures or patches are currently available, it is recommended to replace the affected device with a non-vulnerable alternative. Additionally, monitoring for exploitation attempts and disabling remote management features if possible can reduce risk. [2]