VYPR
Vypr IntelligenceAI-generatedJun 5, 2026· 3 CVEs

D-Link DWR-M920: Three Command Injection Flaws Disclosed Together

Three medium-severity command injection vulnerabilities affecting D-Link DWR-M920 routers were disclosed on June 5, 2026, with exploits already available.

Key findings

  • Three command injection vulnerabilities disclosed for D-Link DWR-M920 routers.
  • All vulnerabilities are rated medium severity with a CVSSv3 score of 6.3.
  • Exploits for all three CVEs are publicly available, increasing immediate risk.
  • Affected devices include D-Link DWR-M920 models up to firmware version 1.1.50 and 1.1.70.
  • Vulnerabilities allow remote attackers to execute arbitrary commands on the router.

On June 5, 2026, a cluster of three medium-severity vulnerabilities was disclosed for D-Link's DWR-M920 router, all stemming from command injection flaws. These issues, disclosed within an 18-hour window, impact devices up to version 1.1.50 and potentially 1.1.70, and critically, exploits for these vulnerabilities have been published, increasing the risk to users.

The vulnerabilities share a common theme: the ability for remote attackers to inject and execute arbitrary commands on the affected devices. This is achieved by manipulating specific arguments within different web interface functions.

CVE-2026-11341 targets the IMEI_value argument within the formIMEISetup function. By manipulating this argument, an attacker can achieve OS command injection. This flaw affects D-Link DWR-M920 devices running firmware up to version 1.1.50.

Similarly, CVE-2026-11339 involves command injection through the ussdValue argument in the formUSSDSetup function. This vulnerability also affects DWR-M920 devices up to version 1.1.50.

The third vulnerability, CVE-2026-10878, resides in the formSmsManage function, specifically through manipulation of the action_value argument. This flaw impacts D-Link DWR-M920 versions 1.1.50 and 1.1.70.

All three vulnerabilities carry a CVSSv3 score of 6.3, classifying them as medium severity. The descriptions explicitly state that exploits are publicly available, meaning attackers could leverage these flaws without significant effort. The remote nature of these attacks means that users do not need to be physically present or on the same network as the vulnerable device to exploit it, posing a significant risk to devices exposed to the internet.

While specific patch details were not provided in the disclosure, the affected versions indicate that users running firmware 1.1.50 or earlier on the DWR-M920 model are at risk. Users are strongly advised to check for and apply any available firmware updates from D-Link to mitigate these command injection risks. The simultaneous disclosure and availability of exploits highlight the urgency for users to secure their D-Link DWR-M920 devices.

AI-written article. Grounded in 3 CVE records listed below.