Description
A vulnerability was detected in D-Link DWR-M920 up to 1.1.50. The affected element is the function sub_41CF20 of the file /boafrm/formUSSDSetup. The manipulation of the argument ussdValue results in command injection. It is possible to launch the attack remotely. The exploit is now public and may be used.
Published: 2026-06-05
Score: 5.3 Medium
EPSS: 3.1% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a command injection flaw in the D-Link DWR-M920 firmware, located in function sub_41CF20 of file /boafrm/formUSSDSetup. The ussdValue parameter is accepted without proper sanitization, allowing an attacker to inject arbitrary shell commands. This flaw is classified as CWE-74 and CWE-77 and enables the execution of system commands remotely, potentially compromising the confidentiality, integrity, and availability of the device.

Affected Systems

All D-Link DWR-M920 devices running firmware version 1.1.50 or older are affected, as the vulnerability exists up to that release. No other product or version information is provided.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, and the EPSS score of 3% suggests a low probability that the vulnerability will be exploited. The vulnerability is not listed in CISA KEV, but the exploit is publicly available and can be launched over the network without any local access or privileged credentials. A publicly exposed device could therefore be targeted by attackers seeking to gain control of the unit or disrupt network services.

Generated by OpenCVE AI on June 18, 2026 at 12:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest firmware update provided by D-Link that resolves the command injection vulnerability.
  • Disable or restrict access to the /boafrm/formUSSDSetup interface if the device does not require USSD operations.
  • Restrict network exposure of the D-Link DWR-M920 by placing it behind a firewall or using VLAN segmentation to limit access from untrusted networks.
  • Monitor device logs for suspicious command execution attempts and enforce strict access controls.

Generated by OpenCVE AI on June 18, 2026 at 12:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Dlink
Dlink dwr-m920
Dlink dwr-m920 Firmware
CPEs cpe:2.3:h:dlink:dwr-m920:-:*:*:*:*:*:*:*
cpe:2.3:o:dlink:dwr-m920_firmware:1.1.50:*:*:*:*:*:*:*
Vendors & Products Dlink
Dlink dwr-m920
Dlink dwr-m920 Firmware

Tue, 09 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 05 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description A vulnerability was detected in D-Link DWR-M920 up to 1.1.50. The affected element is the function sub_41CF20 of the file /boafrm/formUSSDSetup. The manipulation of the argument ussdValue results in command injection. It is possible to launch the attack remotely. The exploit is now public and may be used.
Title D-Link DWR-M920 formUSSDSetup sub_41CF20 command injection
First Time appeared D-link
D-link dwr-m920
Weaknesses CWE-74
CWE-77
CPEs cpe:2.3:h:d-link:dwr-m920:*:*:*:*:*:*:*:*
Vendors & Products D-link
D-link dwr-m920
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

D-link Dwr-m920
Dlink Dwr-m920 Dwr-m920 Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-09T14:37:14.423Z

Reserved: 2026-06-05T08:18:10.205Z

Link: CVE-2026-11339

cve-icon Vulnrichment

Updated: 2026-06-09T14:10:40.999Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-05T17:16:46.193

Modified: 2026-06-09T16:17:35.963

Link: CVE-2026-11339

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T13:00:16Z

Weaknesses
  • CWE-74

    Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

  • CWE-77

    Improper Neutralization of Special Elements used in a Command ('Command Injection')