CVE-2026-2085
Remote Command Injection in D-Link DWR-M921 USSD Endpoint
Publication date: 2026-02-07
Last updated on: 2026-02-12
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dlink | dwr-m921_firmware | 1.1.50 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the D-Link DWR-M921 router firmware version 1.1.50, specifically in the USSD Configuration Endpoint at `/boafrm/formUSSDSetup` within the function `sub_419F20`.
The issue arises because the user-supplied parameter `ussdValue` is inserted directly into a system command string using `sprintf` without proper sanitization, especially failing to handle single quotes correctly.
An authenticated attacker can exploit this flaw by injecting malicious commands into the `ussdValue` parameter, breaking out of the intended command structure and executing arbitrary operating system commands with root privileges via the `system()` call.
This command injection vulnerability allows attackers to run any command on the device remotely after authentication.
How can this vulnerability impact me? :
Exploitation of this vulnerability allows an authenticated attacker to execute arbitrary operating system commands on the affected router with root privileges.
- Gain a root shell on the device.
- Modify system configurations.
- Open backdoors such as enabling telnetd.
- Disrupt services running on the device.
- Read sensitive device files.
Overall, this vulnerability compromises the confidentiality, integrity, and availability of the device, posing a severe security risk.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by testing the USSD Configuration Endpoint `/boafrm/formUSSDSetup` on the D-Link DWR-M921 router firmware version 1.1.50 for command injection via the `ussdValue` parameter.'}, {'type': 'paragraph', 'content': 'Detection involves sending authenticated POST requests with crafted payloads in the `ussdValue` parameter that attempt to break out of the command string and execute arbitrary commands.'}, {'type': 'paragraph', 'content': 'A common detection method is to inject commands that cause observable effects, such as delays (e.g., `sleep 5`), and measure response timing to confirm command execution.'}, {'type': 'paragraph', 'content': "Example approach includes using a proof-of-concept script that automates login and sends a POST request to `/boafrm/formUSSDSetup` with payloads like `1'; sleep 5; '` in the `ussdValue` parameter."}, {'type': 'paragraph', 'content': 'No simple single command is provided, but the detection requires authenticated access and crafting POST requests to the vulnerable endpoint with malicious `ussdValue` inputs.'}] [2]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'Currently, no known countermeasures or mitigations exist for this vulnerability in the affected firmware version 1.1.50 of the D-Link DWR-M921 router.'}, {'type': 'paragraph', 'content': "Immediate mitigation steps include restricting access to the router's management interface to trusted users only, ensuring strong authentication, and monitoring for suspicious activity."}, {'type': 'paragraph', 'content': 'Since exploitation requires authentication, limiting administrative access and changing default credentials can reduce risk.'}, {'type': 'paragraph', 'content': 'Ultimately, it is recommended to replace the affected device with an alternative product that is not vulnerable.'}] [3]