CVE-2026-11339

Vulnerability

A command injection vulnerability exists in D-Link DWR-M920 devices, specifically in the sub_41CF20 function within /boafrm/formUSSDSetup. This flaw affects versions up to 1.1.50 and 1.1.70. The vulnerability arises from the ussdValue parameter being passed to the sprintf function without proper sanitization or length checks, which is then executed by the system function [1].

Exploitation

An attacker can exploit this vulnerability remotely by sending a crafted POST request to the /boafrm/formUSSDSetup endpoint. The ussdValue parameter needs to be manipulated to break out of the expected string format and inject arbitrary shell commands, which are then executed by the device. An example payload demonstrates injecting commands like cat /proc/version > /tmp/ussd_pwn [1].

Impact

Successful exploitation of this vulnerability allows an attacker to achieve command injection, leading to the execution of arbitrary commands on the affected D-Link DWR-M920 device with the privileges of the web server process. This could potentially lead to a stack buffer overflow as well [1].

Mitigation

Details regarding a fixed version or a patch for this vulnerability are not yet disclosed in the available references. Users are advised to check D-Link's official advisories for updates. No workarounds are provided at this time [1, 2].