Skip to main content

D-Link DWR-M920 CVE-2025-15192

LOW
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)
2025-12-29 cna@vuldb.com
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Apr 29, 2026 - 01:44 vuln.today

DescriptionCVE.org

A security vulnerability has been detected in D-Link DWR-M920 up to 1.1.50. The impacted element is the function sub_415328 of the file /boafrm/formLtefotaUpgradeQuectel. Such manipulation of the argument fota_url leads to command injection. The attack can be executed remotely. The exploit has been disclosed publicly and may be used.

AnalysisAI

Command injection in D-Link DWR-M920 firmware up to version 1.1.50 allows authenticated remote attackers to execute arbitrary commands via the fota_url parameter in the /boafrm/formLtefotaUpgradeQuectel endpoint. Public exploit code is available, though EPSS exploitation probability remains low at 0.20% percentile, suggesting limited real-world exploitation despite proof-of-concept availability.

Technical ContextAI

The vulnerability exists in the LTE firmware-over-the-air (FOTA) upgrade functionality, specifically in the sub_415328 function handling the formLtefotaUpgradeQuectel form submission. The fota_url parameter is passed to a command execution context without proper sanitization, enabling OS command injection (CWE-74: Improper Neutralization of Special Elements used in an OS Command). The firmware runs on a D-Link DWR-M920 mobile broadband router with embedded web administration interface (boafrm CGI handlers), allowing authenticated users with web UI access to inject shell metacharacters into firmware update URLs.

RemediationAI

Upgrade D-Link DWR-M920 firmware to a version newer than 1.1.50 if available from D-Link (check www.dlink.com for latest firmware release and security patches). Immediate compensating controls: restrict access to the /boafrm/formLtefotaUpgradeQuectel endpoint to trusted networks only via firewall rules; disable web administration access to the device except from secured management VLANs; implement strong authentication on the web UI with unique, complex passwords and disable default credentials; audit admin user accounts and remove unnecessary administrative privileges. If firmware upgrade is not immediately available, monitor the device for suspicious FOTA upgrade attempts and block external requests to the firmware upgrade endpoint at the network perimeter. These controls mitigate exploitation risk while patches are pending, with the trade-off of reduced remote management convenience.

Share

CVE-2025-15192 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy