CVE-2026-11339
Analyzed Analyzed - Analysis Complete
Command Injection in D-Link DWR-M920 Router

Publication date: 2026-06-05

Last updated on: 2026-06-09

Assigner: VulDB

Description
A vulnerability was detected in D-Link DWR-M920 up to 1.1.50. The affected element is the function sub_41CF20 of the file /boafrm/formUSSDSetup. The manipulation of the argument ussdValue results in command injection. It is possible to launch the attack remotely. The exploit is now public and may be used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-05
Last Modified
2026-06-09
Generated
2026-06-27
AI Q&A
2026-06-05
EPSS Evaluated
2026-06-25
NVD
CVE-2026-11339
EUVD
EUVD-2026-34859
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
dlink dwr-m920_firmware 1.1.50
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability in D-Link DWR-M920 allows remote command injection and potential unauthorized remote code execution. Such security weaknesses can lead to unauthorized access, data breaches, or manipulation of device functions, which may compromise the confidentiality, integrity, and availability of data.

While the provided information does not explicitly mention compliance with standards like GDPR or HIPAA, vulnerabilities that enable remote exploitation and unauthorized command execution generally increase the risk of non-compliance with these regulations. This is because such regulations require adequate security controls to protect personal and sensitive data from unauthorized access or disclosure.

Therefore, if this vulnerability is exploited, it could potentially lead to violations of data protection requirements under GDPR, HIPAA, or similar standards, especially if the affected device processes or stores regulated data.

Executive Summary

CVE-2026-11339 is a command injection and stack buffer overflow vulnerability found in D-Link DWR-M920 routers running firmware versions V1.1.50 and V1.1.70. The flaw exists in the /boafrm/formUSSDSetup endpoint, specifically in the handling of the ussdValue parameter.

The vulnerability arises because the ussdValue parameter is not properly sanitized before being passed to the system() function via sprintf(). This allows attackers to inject arbitrary shell commands by breaking out of the expected AT command string using single quotes and shell metacharacters such as ;, #, or &.

The issue can be exploited remotely without authentication, enabling attackers to execute commands on the device, create files, or disclose kernel version information. Additionally, the use of unsafe functions like sprintf() can lead to stack buffer overflows when handling excessively long inputs.

Impact Analysis

This vulnerability allows remote attackers to execute arbitrary commands on affected D-Link DWR-M920 routers without authentication.

  • Remote command execution can lead to unauthorized control over the device.
  • Attackers may create or modify files on the device.
  • Sensitive information such as kernel version can be disclosed.
  • Exploitation could disrupt network operations or be used as a foothold for further attacks within a network.
Detection Guidance

This vulnerability can be detected by checking if the device is running vulnerable firmware versions (V1.1.50 or V1.1.70) of the D-Link DWR-M920 router and by testing the /boafrm/formUSSDSetup endpoint for command injection via the ussdValue parameter.

One way to detect exploitation attempts or test for the vulnerability is to send crafted HTTP requests to the /boafrm/formUSSDSetup endpoint with payloads containing shell metacharacters such as single quotes, semicolons (;), hashes (#), or ampersands (&) in the ussdValue parameter and observe if arbitrary commands are executed.

For example, you can use curl commands like the following to test for command injection:

  • curl -X POST "http://<router-ip>/boafrm/formUSSDSetup" -d "ussdValue=';id;#"
  • curl -X POST "http://<router-ip>/boafrm/formUSSDSetup" -d "ussdValue=';uname -a;#"

If the response or device behavior indicates execution of these commands (e.g., output of id or uname -a), the device is vulnerable.

Mitigation Strategies

Immediate mitigation steps include sanitizing the ussdValue parameter to allow only USSD-compatible characters such as digits, '*', '#', and '+', and rejecting any input containing shell metacharacters.

Avoid using unsafe functions like sprintf() that can lead to buffer overflows; instead, use safer alternatives like snprintf() and validate input length.

Developers should replace direct system() calls with dedicated AT command libraries or APIs to prevent command injection.

From an operational perspective, update the router firmware to a patched version if available, or restrict access to the vulnerable endpoint by network segmentation or firewall rules to prevent remote exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11339. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart