Description
A vulnerability has been found in D-Link DWR-M921 1.1.50. This impacts an unknown function of the file /boafrm/formLtefotaUpgradeFibocom. Such manipulation of the argument fota_url leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
Published: 2026-02-08
Score: 5.3 Medium
EPSS: 2.6% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in D‑Link DWR‑M921 firmware version 1.1.50, affecting the /boafrm/formLtefotaUpgradeFibocom endpoint. By manipulating the fota_url argument, an attacker can inject shell commands, potentially executing arbitrary code on the device. This type of command injection directly compromises the confidentiality, integrity, and availability of the network device.

Affected Systems

Affected product is the D‑Link DWR‑M921 router running firmware 1.1.50. The flaw is limited to the formLtefotaUpgradeFibocom function within the router's web interface and does not affect other modules.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate risk level, and the EPSS score of 0.02607% shows a very low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog, suggesting no widespread known exploits. The attack vector is remote, likely exploiting the device's web interface; no local privilege or physical access is required. Because the injection can execute arbitrary commands, an attacker could take full control of the device, exfiltrate data, or render the device inoperable.

Generated by OpenCVE AI on June 18, 2026 at 11:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the router to the latest firmware revision that incorporates input validation and sanitization to mitigate CWE‑74 and CWE‑77 command injection flaws.
  • Enforce strict input validation on the fota_url parameter, ensuring that only expected characters and formats are accepted; reject or escape shell special characters in accordance with CWE‑74 guidelines.
  • If a firmware update is unavailable, restrict remote access to the web interface, block the /boafrm/formLtefotaUpgradeFibocom endpoint from unauthenticated or untrusted IP addresses, and monitor logs for suspicious command execution attempts.

Generated by OpenCVE AI on June 18, 2026 at 11:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 11 Feb 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Dlink
Dlink dwr-m921
Dlink dwr-m921 Firmware
CPEs cpe:2.3:h:dlink:dwr-m921:-:*:*:*:*:*:*:*
cpe:2.3:o:dlink:dwr-m921_firmware:1.1.50:*:*:*:*:*:*:*
Vendors & Products Dlink
Dlink dwr-m921
Dlink dwr-m921 Firmware

Mon, 09 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared D-link
D-link dwr-m921
Vendors & Products D-link
D-link dwr-m921

Sun, 08 Feb 2026 17:45:00 +0000

Type Values Removed Values Added
Description A vulnerability has been found in D-Link DWR-M921 1.1.50. This impacts an unknown function of the file /boafrm/formLtefotaUpgradeFibocom. Such manipulation of the argument fota_url leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
Title D-Link DWR-M921 formLtefotaUpgradeFibocom command injection
Weaknesses CWE-74
CWE-77
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

D-link Dwr-m921
Dlink Dwr-m921 Dwr-m921 Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-23T09:45:58.460Z

Reserved: 2026-02-07T10:35:46.604Z

Link: CVE-2026-2169

cve-icon Vulnrichment

Updated: 2026-02-09T18:54:28.764Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-08T18:15:48.490

Modified: 2026-06-17T10:30:27.737

Link: CVE-2026-2169

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T11:15:03Z

Weaknesses
  • CWE-74

    Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

  • CWE-77

    Improper Neutralization of Special Elements used in a Command ('Command Injection')