CVE-2026-11341

Vulnerability

A flaw exists in D-Link DWR-M920 devices up to version 1.1.50, specifically within the /boafrm/formIMEISetup handler of the Boa web server. The vulnerability lies in the IMEI_value POST parameter, which is directly passed into sprintf() and then executed via system() without sanitization or validation. This allows for OS command injection, and the specific code path is determined by the installed modem module identified by sub_412DA0 [1].

Exploitation

An attacker can exploit this vulnerability remotely by sending a crafted HTTP POST request to the /boafrm/formIMEISetup endpoint. The request must include a malicious payload within the IMEI_value parameter. The vulnerability is triggered when the device's modem module matches one of the supported types, allowing the attacker-supplied IMEI_value to be injected into an AT command executed by the system() function [1].

Impact

Successful exploitation of this vulnerability allows a remote attacker to execute arbitrary operating system commands on the affected D-Link DWR-M920 device. This can lead to a full compromise of the device, potentially allowing the attacker to gain control over network functions, access sensitive information, or use the device as a pivot point for further network attacks.

Mitigation

There is no specific patched version or release date mentioned in the available references. Users are advised to check for firmware updates from D-Link. As of the publication of this vulnerability, no workarounds or specific mitigation steps beyond updating firmware have been disclosed in the available references [1, 2].