CVE-2026-11339 Overview
CVE-2026-11339 is a command injection vulnerability in D-Link DWR-M920 routers up to firmware version 1.1.50. The flaw resides in the sub_41CF20 function within /boafrm/formUSSDSetup, where the ussdValue parameter is passed to a system command without proper sanitization. An authenticated attacker can manipulate this argument over the network to execute arbitrary commands on the device. The exploit is publicly disclosed, increasing the likelihood of opportunistic attacks against exposed devices. The vulnerability is tracked under CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component).
Critical Impact
Authenticated remote attackers can inject operating system commands through the ussdValue parameter, leading to arbitrary command execution on the router.
Affected Products
- D-Link DWR-M920 (hardware)
- D-Link DWR-M920 firmware versions up to and including 1.1.50
- Devices exposing the /boafrm/formUSSDSetup web interface endpoint
Discovery Timeline
- 2026-06-05 - CVE-2026-11339 published to the National Vulnerability Database (NVD)
- 2026-06-09 - Last updated in NVD database
Technical Details for CVE-2026-11339
Vulnerability Analysis
The DWR-M920 is a 4G LTE router that exposes a web-based administration interface served by the embedded boa HTTP daemon. The /boafrm/formUSSDSetup endpoint handles Unstructured Supplementary Service Data (USSD) configuration requests for the cellular modem. Within the binary, the function sub_41CF20 parses the ussdValue parameter from the HTTP request and incorporates it into a shell command without filtering metacharacters. Attackers supplying shell metacharacters such as ;, |, or backticks can append additional commands that execute under the privileges of the web server process, typically root on embedded routers.
Root Cause
The vulnerability stems from improper neutralization of special elements passed to a downstream component (CWE-74). The handler concatenates attacker-controlled input directly into a command string executed via system() or an equivalent shell invocation. No allow-list validation or shell escaping is applied to the ussdValue argument before execution.
Attack Vector
Exploitation requires network access to the router's management interface and low-privilege authentication. The attacker sends a crafted HTTP POST request to /boafrm/formUSSDSetup containing a ussdValue payload that includes shell metacharacters followed by arbitrary commands. Successful exploitation yields command execution on the device, enabling configuration tampering, credential theft, traffic interception, or use of the router as a pivot into internal networks. Technical details and reproduction steps are documented in the GitHub advisory by researcher 7u7777 and the VulDB CVE-2026-11339 entry.
Detection Methods for CVE-2026-11339
Indicators of Compromise
- HTTP POST requests to /boafrm/formUSSDSetup containing shell metacharacters (;, |, &, backticks, $()) in the ussdValue parameter.
- Unexpected outbound connections from the router to attacker-controlled infrastructure following administrative web requests.
- Modified router configuration, unauthorized accounts, or new firewall rules appearing without administrator action.
Detection Strategies
- Inspect web server access logs on the router for anomalous requests targeting /boafrm/formUSSDSetup, especially from non-administrative source addresses.
- Deploy network-based detection rules that flag HTTP request bodies containing common command injection patterns directed at D-Link management endpoints.
- Monitor DNS and NetFlow data for routers initiating unusual outbound traffic to non-vendor destinations.
Monitoring Recommendations
- Restrict the router management interface to a dedicated management VLAN and log all access attempts.
- Forward router syslog data to a centralized SIEM and alert on authentication events followed by USSD configuration requests.
- Baseline normal administrative traffic to the DWR-M920 and alert on deviations in request frequency or payload content.
How to Mitigate CVE-2026-11339
Immediate Actions Required
- Disable remote (WAN-side) access to the router's web administration interface until a patched firmware is installed.
- Change all administrative credentials on the DWR-M920 to strong, unique values to limit the low-privilege authentication requirement abuse.
- Place affected devices behind a firewall or ACL that restricts management access to trusted internal hosts only.
Patch Information
At the time of publication, D-Link has not released a firmware update addressing CVE-2026-11339 referenced in the NVD record. Monitor the D-Link official website and the vendor advisory tracking page for updated firmware releases. Apply any future firmware update for the DWR-M920 immediately upon availability.
Workarounds
- Block external access to TCP ports used by the router's web management interface at the perimeter firewall.
- Segment the DWR-M920 onto an isolated network so that command execution on the device cannot be used to pivot to sensitive systems.
- Where USSD configuration is not required, avoid interaction with the /boafrm/formUSSDSetup endpoint and audit any accounts authorized to access it.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
