CVE-2026-1596
Unknown Unknown - Not Provided
Remote Command Injection in D-Link DWR-M961 LTE Upgrade Function

Publication date: 2026-01-29

Last updated on: 2026-04-29

Assigner: VulDB

Description
A flaw has been found in D-Link DWR-M961 1.1.47. This vulnerability affects the function sub_419920 of the file /boafrm/formLtefotaUpgradeQuectel. This manipulation of the argument fota_url causes command injection. The attack is possible to be carried out remotely. The exploit has been published and may be used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-29
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-01-29
EPSS Evaluated
2026-06-15
NVD
CVE-2026-1596
EUVD
EUVD-2026-4953
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
dlink dwr-m961_firmware 1.1.47
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-1596 is a command injection vulnerability in the D-Link DWR-M961 4G LTE router firmware version 1.1.47. It exists in the function sub_419920 within the /boafrm/formLtefotaUpgradeQuectel endpoint. The vulnerability arises because the router processes the user-supplied parameter 'fota_url' by only partially validating it to check for protocol prefixes like 'http://', 'https://', or 'ftp://', but does not properly sanitize the input. This unsanitized input is then used in a shell command via sprintf and passed directly to the system() function, allowing an authenticated attacker to execute arbitrary system commands with root privileges remotely. [1, 2, 3]

Impact Analysis

This vulnerability can severely impact you by allowing an authenticated remote attacker to execute arbitrary commands on the affected router with root privileges. This compromises the confidentiality, integrity, and availability of the device, potentially leading to unauthorized access, control over the router, disruption of network services, and further exploitation within the network. [2]

Detection Guidance

This vulnerability can be detected by monitoring for suspicious POST requests to the endpoint `/boafrm/formLtefotaUpgradeQuectel` that include the `fota_url` parameter containing protocol prefixes such as "http://", "https://", or "ftp://" followed by unusual or shell metacharacters indicating command injection attempts. Detection can also involve emulating the firmware and using proof-of-concept scripts to test for command injection. For network detection, commands like `tcpdump` or `Wireshark` can be used to capture HTTP POST requests to the vulnerable endpoint. For example, a command to capture such traffic might be: `tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep '/boafrm/formLtefotaUpgradeQuectel'`. Additionally, using tools like `curl` or custom scripts to send crafted requests to the endpoint and observe responses can help verify vulnerability presence. [3]

Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable endpoint `/boafrm/formLtefotaUpgradeQuectel` by limiting network exposure, such as applying firewall rules to block unauthorized access to the router's management interface. Since no known countermeasures or patches are currently available, it is recommended to replace the affected device with a non-vulnerable alternative. Additionally, monitoring for exploitation attempts and disabling remote management features if possible can reduce risk. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-1596. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart