CVE-2026-10878: D-Link DWR-M920 Firmware RCE Vulnerability

CVE-2026-10878 Overview

CVE-2026-10878 is a command injection vulnerability in the D-Link DWR-M920 router firmware versions 1.1.50 and 1.1.70. The flaw resides in the sub_41C8E8 function within the /boafrm/formSmsManage endpoint. Attackers can manipulate the action_value parameter to inject operating system commands that the router executes. The vulnerability is exploitable over the network and requires low-level privileges. A public exploit has been disclosed, increasing the likelihood of opportunistic abuse against exposed devices. The weakness is categorized as improper neutralization of special elements in output used by a downstream component [CWE-74].

Critical Impact

Authenticated remote attackers can inject arbitrary commands into the router's SMS management handler, leading to unauthorized command execution on affected D-Link DWR-M920 devices.

Affected Products

• D-Link DWR-M920 firmware version 1.1.50
• D-Link DWR-M920 firmware version 1.1.70
• D-Link DWR-M920 hardware appliance

Discovery Timeline

• 2026-06-05 - CVE-2026-10878 published to NVD
• 2026-06-05 - Last updated in NVD database

Technical Details for CVE-2026-10878

Vulnerability Analysis

The DWR-M920 is a 4G LTE router that exposes a web-based management interface served by the boa HTTP server. The SMS management feature is handled by /boafrm/formSmsManage, which delegates request processing to the internal function sub_41C8E8. This function consumes the action_value HTTP parameter without proper sanitization before passing it into a shell-invoking primitive.

Because the parameter content reaches the command interpreter unfiltered, an attacker who can reach the management interface can append shell metacharacters and arbitrary commands. Successful exploitation yields command execution in the context of the web server process, which on D-Link consumer routers typically runs with elevated privileges. The attacker can use this access to alter routing configuration, capture traffic, or pivot into adjacent network segments.

Root Cause

The root cause is missing input neutralization in sub_41C8E8. The handler concatenates attacker-controlled data into a command string instead of using safe argument passing or strict allow-listing. This pattern matches [CWE-74] injection weaknesses common in embedded web management firmware.

Attack Vector

The attack vector is network-based against the device's HTTP management interface. The CVSS metrics indicate low privileges are required, meaning the attacker must hold valid credentials or reuse default credentials still present on the device. No user interaction is required. Public proof-of-concept material is referenced in the GitHub PoC Repository and VulDB CVE-2026-10878 entries.

No verified exploit code is reproduced here. Refer to the public references for technical details of the injection payload structure.

Detection Methods for CVE-2026-10878

Indicators of Compromise

• HTTP POST requests to /boafrm/formSmsManage containing shell metacharacters (;, |, &, backticks, $()) inside the action_value parameter.
• Outbound connections from the router to unknown hosts following requests to the SMS management endpoint.
• Unexpected processes spawned by the boa web server such as sh, wget, tftp, or busybox utilities used for staging.

Detection Strategies

• Inspect router access logs and upstream proxy logs for requests to /boafrm/formSmsManage originating from untrusted networks.
• Apply network IDS signatures that flag shell metacharacters within form parameters destined for D-Link management URIs.
• Compare device firmware versions in inventory against the affected versions 1.1.50 and 1.1.70.

Monitoring Recommendations

• Forward router syslog and HTTP access logs to a central log platform and alert on requests targeting formSmsManage.
• Monitor DNS and NetFlow telemetry for routers initiating connections to known malware staging infrastructure.
• Track configuration change events on managed D-Link devices and alert on out-of-band modifications.

How to Mitigate CVE-2026-10878

Immediate Actions Required

• Restrict access to the router's web management interface to trusted internal management VLANs only.
• Disable remote WAN-side administration on all DWR-M920 devices.
• Rotate administrator credentials and remove any accounts using default passwords.
• Audit deployed firmware to identify devices running versions 1.1.50 or 1.1.70.

Patch Information

No vendor fix has been listed in the public references at the time of publication. Refer to the D-Link Official Website and the VulDB Vulnerability #368368 record for updated advisory status. Until a vendor-supplied firmware update is available, treat affected devices as exposed and apply compensating network controls.

Workarounds

• Place affected DWR-M920 routers behind an upstream firewall that blocks inbound HTTP and HTTPS to the device management interface.
• Use access control lists to allow management traffic only from a defined administrator subnet.
• Where SMS management functionality is unused, document the operational risk and consider replacing the device with a model that receives current vendor support.

# Example: restrict management interface to a trusted subnet using upstream iptables
iptables -A FORWARD -p tcp -d <router_ip> --dport 80 -s 10.10.0.0/24 -j ACCEPT
iptables -A FORWARD -p tcp -d <router_ip> --dport 80 -j DROP
iptables -A FORWARD -p tcp -d <router_ip> --dport 443 -s 10.10.0.0/24 -j ACCEPT
iptables -A FORWARD -p tcp -d <router_ip> --dport 443 -j DROP