D-Link DWR-M920 CVE-2025-15192
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A security vulnerability has been detected in D-Link DWR-M920 up to 1.1.50. The impacted element is the function sub_415328 of the file /boafrm/formLtefotaUpgradeQuectel. Such manipulation of the argument fota_url leads to command injection. The attack can be executed remotely. The exploit has been disclosed publicly and may be used.
AnalysisAI
Command injection in D-Link DWR-M920 firmware up to version 1.1.50 allows authenticated remote attackers to execute arbitrary commands via the fota_url parameter in the /boafrm/formLtefotaUpgradeQuectel endpoint. Public exploit code is available, though EPSS exploitation probability remains low at 0.20% percentile, suggesting limited real-world exploitation despite proof-of-concept availability.
Technical ContextAI
The vulnerability exists in the LTE firmware-over-the-air (FOTA) upgrade functionality, specifically in the sub_415328 function handling the formLtefotaUpgradeQuectel form submission. The fota_url parameter is passed to a command execution context without proper sanitization, enabling OS command injection (CWE-74: Improper Neutralization of Special Elements used in an OS Command). The firmware runs on a D-Link DWR-M920 mobile broadband router with embedded web administration interface (boafrm CGI handlers), allowing authenticated users with web UI access to inject shell metacharacters into firmware update URLs.
RemediationAI
Upgrade D-Link DWR-M920 firmware to a version newer than 1.1.50 if available from D-Link (check www.dlink.com for latest firmware release and security patches). Immediate compensating controls: restrict access to the /boafrm/formLtefotaUpgradeQuectel endpoint to trusted networks only via firewall rules; disable web administration access to the device except from secured management VLANs; implement strong authentication on the web UI with unique, complex passwords and disable default credentials; audit admin user accounts and remove unnecessary administrative privileges. If firmware upgrade is not immediately available, monitor the device for suspicious FOTA upgrade attempts and block external requests to the firmware upgrade endpoint at the network perimeter. These controls mitigate exploitation risk while patches are pending, with the trade-off of reduced remote management convenience.
More in Dwr M920 Firmware
View allA weakness has been identified in D-Link DWR-M920 up to 1.1.50. The affected element is the function sub_4155B4 of the f
A weakness has been identified in D-Link DWR-M920 1.1.50. Rated high severity (CVSS 7.4), this vulnerability is remotely
A security flaw has been discovered in D-Link DIR-822K and DWR-M920 1.00_20250513164613/1.1.50. Rated high severity (CVS
A vulnerability was identified in D-Link DIR-822K and DWR-M920 1.00_20250513164613/1.1.50. Rated high severity (CVSS 7.4
A vulnerability was determined in D-Link DIR-822K and DWR-M920 1.00_20250513164613/1.1.50. Rated high severity (CVSS 7.4
A vulnerability has been found in D-Link DIR-822K and DWR-M920 1.00_20250513164613/1.1.50. Rated high severity (CVSS 7.4
A flaw has been found in D-Link DIR-822K and DWR-M920 1.00_20250513164613/1.1.50. Rated high severity (CVSS 7.4), this v
A weakness has been identified in D-Link DWR-M920, DWR-M921, DWR-M960, DIR-822K and DIR-825M 1.01.07. Rated high severit
A security flaw has been discovered in D-Link DWR-M920, DWR-M921, DWR-M960, DWR-M961 and DIR-825M 1.01.07/1.1.47. Rated
Same technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today