CVE-2026-2169
Remote Command Injection in D-Link DWR-M921 LTE Firmware Upgrade
Publication date: 2026-02-08
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dlink | dwr-m921_firmware | 1.1.50 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-2169 is a critical command injection vulnerability found in the D-Link DWR-M921 router firmware version 1.1.50. It exists in the handling of the fota_url parameter at the /boafrm/formLtefotaUpgradeFibocom endpoint. The firmware fails to properly sanitize this input before passing it to system commands, allowing an authenticated attacker to append arbitrary shell commands. These commands are executed with root privileges on the device, enabling remote code execution.
The attack involves authenticating to the router, then sending a crafted POST request with malicious input in the fota_url parameter. The vulnerability arises because shell metacharacters like ;, |, and & are not neutralized, allowing command injection. A proof-of-concept exploit script automates this process, confirming the vulnerability.
How can this vulnerability impact me? :
This vulnerability allows an authenticated attacker to execute arbitrary commands with root privileges on the affected router remotely. This can lead to full compromise of the device, including unauthorized control, data manipulation, disruption of services, and potential use of the device as a foothold for further attacks within a network.
- Remote code execution with root privileges
- Compromise of device confidentiality, integrity, and availability
- Potential disruption of network services
- Use of the device for further malicious activities
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by attempting to send a crafted POST request to the vulnerable endpoint `/boafrm/formLtefotaUpgradeFibocom` with a malicious `fota_url` parameter containing shell metacharacters (e.g., `;`, `|`, `&`). Successful exploitation indicators include receiving an HTTP 200 response and redirection back to `/fota_fibocom.htm`.'}, {'type': 'paragraph', 'content': 'Detection involves authenticating to the router first, which requires retrieving an encryption key from `/boafrm/formLoginKey`, encrypting the password using HMAC-MD5 with the provided challenge and public key, and submitting credentials to `/boafrm/formLoginSetup`.'}, {'type': 'paragraph', 'content': 'A proof-of-concept Python script automates this process by performing login, sending the malicious POST request, and checking for expected responses. Verification of command execution requires external methods such as monitoring for a reverse shell or other side effects.'}, {'type': 'list_item', 'content': 'Use curl or similar tools to send an authenticated POST request to `/boafrm/formLtefotaUpgradeFibocom` with `fota_url` containing shell metacharacters, e.g.:'}, {'type': 'list_item', 'content': '1. Retrieve login key: `curl http://<router-ip>/boafrm/formLoginKey`'}, {'type': 'list_item', 'content': '2. Perform login with encrypted credentials (requires scripting to handle HMAC-MD5 encryption).'}, {'type': 'list_item', 'content': '3. Send POST request with malicious payload: `curl -X POST -d "fota_url=http://;id" http://<router-ip>/boafrm/formLtefotaUpgradeFibocom`'}, {'type': 'paragraph', 'content': 'Note that the vulnerability requires authentication, so detection commands must handle login steps.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': "Immediate mitigation steps include restricting access to the affected router's management interface to trusted networks and users only, as exploitation requires authentication."}, {'type': 'paragraph', 'content': 'Since no known mitigations or countermeasures have been identified, it is recommended to replace the affected product or upgrade the firmware if a patch becomes available.'}, {'type': 'paragraph', 'content': 'Monitoring network traffic for suspicious POST requests to `/boafrm/formLtefotaUpgradeFibocom` and disabling remote management features can reduce exposure.'}] [3]