CVE-2026-2168 - Vulnerability Details

- D-Link DWR-M921 formLtefotaUpgradeQuectel sub_419920 command injection

Description

A flaw has been found in D-Link DWR-M921 1.1.50. This affects the function sub_419920 of the file /boafrm/formLtefotaUpgradeQuectel. This manipulation of the argument fota_url causes command injection. It is possible to initiate the attack remotely. The exploit has been published and may be used.

Published: 2026-02-08

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

An attacker can send a specially crafted firmware URL to the sub_419920 function in the /boafrm/formLtefotaUpgradeQuectel endpoint, causing an uncontrolled command to be executed on the device. This command injection flaw allows the execution of arbitrary shell commands, potentially granting full control over the router and compromising its stored data as well as any services it hosts.

Affected Systems

The vulnerability affects D-Link DWR‑M921 routers running firmware version 1.1.50. Only devices with this exact firmware build are known to be vulnerable; other firmware revisions or products are not listed as affected.

Risk and Exploitability

The CVSS score of 5.3 indicates a medium severity level. The EPSS score of less than 1% suggests a very low probability of exploitation, and the flaw is not listed in CISA’s KEV catalog. Nevertheless, the exploit is publicly available and can be launched remotely, typically through the router’s network management interface or a remote firmware update request. Given the remote nature of the attack and lack of user interaction requirements, the risk depends on the network exposure of the target device.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

D-Link

DWR-M921

affected

Version	Status	Constraints
`1.1.50`	affected	—

Configuration 1 [-]

AND

cpe:2.3:o:dlink:dwr-m921_firmware:1.1.50:*:*:*:*:*:*:*

cpe:2.3:h:dlink:dwr-m921:-:*:*:*:*:*:*:*

No data.

Vendor	Product	Confidence	Versions
D-link	Dwr-m921	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the router to a firmware version that removes the sub_419920 command injection flaw.
If an update is unavailable, disable remote administration and restrict access to the router’s management interface to trusted internal networks only.
Implement network monitoring to detect anomalous command execution attempts or unexpected traffic to the firmware update endpoint.
Consider firewall rules that block external access to the ports used by the device’s management services and monitor logs for attempts to access the /boafrm/formLtefotaUpgradeQuectel path.

Generated by OpenCVE AI on April 17, 2026 at 21:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00032.

Exploitation poc

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/LX-66-LX/cve-new/issues/2
https://vuldb.com/?ctiid.344870
https://vuldb.com/?id.344870
https://vuldb.com/?submit.748838
https://www.dlink.com/

History

Wed, 11 Feb 2026 18:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Dlink Dlink dwr-m921 Dlink dwr-m921 Firmware
CPEs		cpe:2.3:h:dlink:dwr-m921:-:::::::* cpe:2.3:o:dlink:dwr-m921_firmware:1.1.50:::::::*
Vendors & Products		Dlink Dlink dwr-m921 Dlink dwr-m921 Firmware

Mon, 09 Feb 2026 22:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 09 Feb 2026 11:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		D-link D-link dwr-m921
Vendors & Products		D-link D-link dwr-m921

Sun, 08 Feb 2026 17:45:00 +0000

Type	Values Removed	Values Added
Description		A flaw has been found in D-Link DWR-M921 1.1.50. This affects the function sub_419920 of the file /boafrm/formLtefotaUpgradeQuectel. This manipulation of the argument fota_url causes command injection. It is possible to initiate the attack remotely. The exploit has been published and may be used.
Title		D-Link DWR-M921 formLtefotaUpgradeQuectel sub_419920 command injection
Weaknesses		CWE-74 CWE-77
References		https://github.com/LX-66-LX/cve-new/issues/2 https://vuldb.com/?ctiid.344870 https://vuldb.com/?id.344870 https://vuldb.com/?submit.748838 https://www.dlink.com/
Metrics		cvssV2_0 `{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

D-link Dwr-m921

Dlink Dwr-m921 Dwr-m921 Firmware

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-02-08T17:32:08.752Z

Updated: 2026-02-23T09:45:43.557Z

Reserved: 2026-02-07T10:31:19.129Z

Link: CVE-2026-2168

Vulnrichment

Updated: 2026-02-09T21:12:22.220Z

NVD

Status : Analyzed

Published: 2026-02-08T18:15:48.290

Modified: 2026-02-11T18:42:45.187

Link: CVE-2026-2168

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-17T22:00:11Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation poc

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object