CVE-2026-2169 - Vulnerability Details

- D-Link DWR-M921 formLtefotaUpgradeFibocom command injection

Description

A vulnerability has been found in D-Link DWR-M921 1.1.50. This impacts an unknown function of the file /boafrm/formLtefotaUpgradeFibocom. Such manipulation of the argument fota_url leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

Published: 2026-02-08

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability resides in D‑Link DWR‑M921 firmware version 1.1.50, affecting the /boafrm/formLtefotaUpgradeFibocom endpoint. By manipulating the fota_url argument, an attacker can inject shell commands, potentially executing arbitrary code on the device. This type of command injection directly compromises the confidentiality, integrity, and availability of the network device.

Affected Systems

Affected product is the D‑Link DWR‑M921 router running firmware 1.1.50. The flaw is limited to the formLtefotaUpgradeFibocom function within the router's web interface and does not affect other modules.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate risk level, and the EPSS score of less than 1% shows a low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog, suggesting no widespread known exploits. The attack vector is remote, likely exploiting the device's web interface; no local privilege or physical access is required. Because the injection can execute arbitrary commands, an attacker could take full control of the device, exfiltrate data, or render the device inoperable.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

D-Link

DWR-M921

affected

Version	Status	Constraints
`1.1.50`	affected	—

Configuration 1 [-]

AND

cpe:2.3:o:dlink:dwr-m921_firmware:1.1.50:*:*:*:*:*:*:*

cpe:2.3:h:dlink:dwr-m921:-:*:*:*:*:*:*:*

No data.

Vendor	Product	Confidence	Versions
D-link	Dwr-m921	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the router to the latest firmware revision that fixes the command injection flaw.
If a firmware update is not immediately available, restrict remote access to the router or block the /boafrm/formLtefotaUpgradeFibocom endpoint from untrusted IP addresses.
Monitor device logs and network traffic for suspicious command execution attempts and apply patches as soon as they are released.

Generated by OpenCVE AI on April 17, 2026 at 21:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00095.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/LX-66-LX/cve-new/issues/3
https://vuldb.com/?ctiid.344871
https://vuldb.com/?id.344871
https://vuldb.com/?submit.748930
https://www.dlink.com/

History

Wed, 11 Feb 2026 18:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Dlink Dlink dwr-m921 Dlink dwr-m921 Firmware
CPEs		cpe:2.3:h:dlink:dwr-m921:-:::::::* cpe:2.3:o:dlink:dwr-m921_firmware:1.1.50:::::::*
Vendors & Products		Dlink Dlink dwr-m921 Dlink dwr-m921 Firmware

Mon, 09 Feb 2026 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 09 Feb 2026 11:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		D-link D-link dwr-m921
Vendors & Products		D-link D-link dwr-m921

Sun, 08 Feb 2026 17:45:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability has been found in D-Link DWR-M921 1.1.50. This impacts an unknown function of the file /boafrm/formLtefotaUpgradeFibocom. Such manipulation of the argument fota_url leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
Title		D-Link DWR-M921 formLtefotaUpgradeFibocom command injection
Weaknesses		CWE-74 CWE-77
References		https://github.com/LX-66-LX/cve-new/issues/3 https://vuldb.com/?ctiid.344871 https://vuldb.com/?id.344871 https://vuldb.com/?submit.748930 https://www.dlink.com/
Metrics		cvssV2_0 `{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

D-link Dwr-m921

Dlink Dwr-m921 Dwr-m921 Firmware

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-02-08T17:32:12.531Z

Updated: 2026-02-23T09:45:58.460Z

Reserved: 2026-02-07T10:35:46.604Z

Link: CVE-2026-2169

Vulnrichment

Updated: 2026-02-09T18:54:28.764Z

NVD

Status : Analyzed

Published: 2026-02-08T18:15:48.490

Modified: 2026-02-11T18:41:35.717

Link: CVE-2026-2169

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-17T22:00:11Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object