Description
A vulnerability was detected in D-Link DWR-M920 up to 1.1.50. The affected element is the function sub_41CF20 of the file /boafrm/formUSSDSetup. The manipulation of the argument ussdValue results in command injection. It is possible to launch the attack remotely. The exploit is now public and may be used.
Published: 2026-06-05
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a command injection flaw in the D-Link DWR-M920 firmware; the sub_41CF20 function in /boafrm/formUSSDSetup accepts a user-supplied ussdValue parameter without proper sanitization, allowing an attacker to inject arbitrary shell commands. This flaw is classified as CWE-74 and CWE-77 and enables the execution of system commands remotely, potentially compromising confidentiality, integrity, and availability of the device.

Affected Systems

All D-Link DWR-M920 devices running firmware version 1.1.50 or older are affected, as the vulnerability exists up to that release. No other product or version information is provided.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity, but the exploit is publicly available and can be launched over the network without any local access or privileged credentials. Although the EPSS score is not published and the vulnerability is not listed in CISA KEV, a publicly exposed device could be targeted by attackers seeking to gain control of the unit or disrupt network services.

Generated by OpenCVE AI on June 5, 2026 at 17:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the DWR-M920 firmware to a version newer than 1.1.50 that contains the command injection fix.
  • If a firmware upgrade is not immediately possible, restrict or disable the USSD Setup interface (or block the /boafrm/formUSSDSetup endpoint) from untrusted networks.
  • Apply input validation or sanitization to the ussdValue parameter to ensure that only permitted characters are accepted, thereby preventing shell command injection.

Generated by OpenCVE AI on June 5, 2026 at 17:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description A vulnerability was detected in D-Link DWR-M920 up to 1.1.50. The affected element is the function sub_41CF20 of the file /boafrm/formUSSDSetup. The manipulation of the argument ussdValue results in command injection. It is possible to launch the attack remotely. The exploit is now public and may be used.
Title D-Link DWR-M920 formUSSDSetup sub_41CF20 command injection
First Time appeared D-link
D-link dwr-m920
Weaknesses CWE-74
CWE-77
CPEs cpe:2.3:h:d-link:dwr-m920:*:*:*:*:*:*:*:*
Vendors & Products D-link
D-link dwr-m920
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

D-link Dwr-m920
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-05T16:30:11.653Z

Reserved: 2026-06-05T08:18:10.205Z

Link: CVE-2026-11339

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-05T17:16:46.193

Modified: 2026-06-05T19:03:48.933

Link: CVE-2026-11339

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T17:30:45Z

Weaknesses