CVE-2026-11339
Command Injection in D-Link DWR-M920 Router
Publication date: 2026-06-05
Last updated on: 2026-06-05
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| d-link | dwr-m920 | to 1.1.50 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-11339 is a command injection and stack buffer overflow vulnerability found in D-Link DWR-M920 routers running firmware versions V1.1.50 and V1.1.70. The flaw exists in the /boafrm/formUSSDSetup endpoint, specifically in the handling of the ussdValue parameter.
The vulnerability arises because the ussdValue parameter is not properly sanitized before being passed to the system() function via sprintf(). This allows attackers to inject arbitrary shell commands by breaking out of the expected AT command string using single quotes and shell metacharacters such as ;, #, or &.
The issue can be exploited remotely without authentication, enabling attackers to execute commands on the device, create files, or disclose kernel version information. Additionally, the use of unsafe functions like sprintf() can lead to stack buffer overflows when handling excessively long inputs.
How can this vulnerability impact me? :
This vulnerability allows remote attackers to execute arbitrary commands on affected D-Link DWR-M920 routers without authentication.
- Remote command execution can lead to unauthorized control over the device.
- Attackers may create or modify files on the device.
- Sensitive information such as kernel version can be disclosed.
- Exploitation could disrupt network operations or be used as a foothold for further attacks within a network.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the device is running vulnerable firmware versions (V1.1.50 or V1.1.70) of the D-Link DWR-M920 router and by testing the /boafrm/formUSSDSetup endpoint for command injection via the ussdValue parameter.
One way to detect exploitation attempts or test for the vulnerability is to send crafted HTTP requests to the /boafrm/formUSSDSetup endpoint with payloads containing shell metacharacters such as single quotes, semicolons (;), hashes (#), or ampersands (&) in the ussdValue parameter and observe if arbitrary commands are executed.
For example, you can use curl commands like the following to test for command injection:
- curl -X POST "http://<router-ip>/boafrm/formUSSDSetup" -d "ussdValue=';id;#"
- curl -X POST "http://<router-ip>/boafrm/formUSSDSetup" -d "ussdValue=';uname -a;#"
If the response or device behavior indicates execution of these commands (e.g., output of id or uname -a), the device is vulnerable.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include sanitizing the ussdValue parameter to allow only USSD-compatible characters such as digits, '*', '#', and '+', and rejecting any input containing shell metacharacters.
Avoid using unsafe functions like sprintf() that can lead to buffer overflows; instead, use safer alternatives like snprintf() and validate input length.
Developers should replace direct system() calls with dedicated AT command libraries or APIs to prevent command injection.
From an operational perspective, update the router firmware to a patched version if available, or restrict access to the vulnerable endpoint by network segmentation or firewall rules to prevent remote exploitation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in D-Link DWR-M920 allows remote command injection and potential unauthorized remote code execution. Such security weaknesses can lead to unauthorized access, data breaches, or manipulation of device functions, which may compromise the confidentiality, integrity, and availability of data.
While the provided information does not explicitly mention compliance with standards like GDPR or HIPAA, vulnerabilities that enable remote exploitation and unauthorized command execution generally increase the risk of non-compliance with these regulations. This is because such regulations require adequate security controls to protect personal and sensitive data from unauthorized access or disclosure.
Therefore, if this vulnerability is exploited, it could potentially lead to violations of data protection requirements under GDPR, HIPAA, or similar standards, especially if the affected device processes or stores regulated data.