CVE-2026-11341: D-Link DWR-M920 RCE Vulnerability

CVE-2026-11341 Overview

CVE-2026-11341 is an operating system (OS) command injection vulnerability affecting D-Link DWR-M920 routers up to firmware version 1.1.50. The flaw resides in the sub_412DA0 function of the /boafrm/formIMEISetup endpoint. An authenticated remote attacker can manipulate the IMEI_value parameter to inject arbitrary OS commands into the underlying shell. The weakness is tracked under [CWE-77] (Improper Neutralization of Special Elements used in a Command). A public exploit has been disclosed, increasing the likelihood of opportunistic abuse against exposed management interfaces.

Critical Impact
Authenticated remote attackers can inject arbitrary OS commands through the IMEI_value parameter of /boafrm/formIMEISetup, leading to limited integrity, confidentiality, and availability impact on the affected router.

Affected Products

D-Link DWR-M920 firmware versions up to and including 1.1.50
/boafrm/formIMEISetup web management endpoint
The sub_412DA0 handler function within the embedded boa web server

Discovery Timeline

2026-06-05 - CVE-2026-11341 published to the National Vulnerability Database (NVD)
2026-06-05 - Last updated in NVD database

Technical Details for CVE-2026-11341

Vulnerability Analysis

The DWR-M920 exposes a web administration interface served by the embedded boa HTTP daemon. The endpoint /boafrm/formIMEISetup is processed by the function sub_412DA0, which accepts user-supplied input via the IMEI_value parameter. According to the published technical writeup, the parameter is incorporated into a shell command without adequate neutralization of shell metacharacters such as ;, |, &&, or backticks.

Because the device runs the web server with elevated privileges typical of embedded Linux routers, injected commands execute in that same context. Successful exploitation allows an attacker to read configuration data, alter device behavior, or disrupt connectivity. The vulnerability is classified under [CWE-77] and is reachable over the network, though it requires valid low-privileged credentials on the web interface.

Root Cause

The root cause is improper neutralization of special elements passed to a command interpreter. The sub_412DA0 handler concatenates the IMEI_value argument into a system command string and dispatches it to a shell without input validation, allow-listing, or safe argument passing. Embedded vendor firmware frequently uses system() or popen() calls in CGI handlers, and this pattern enables straightforward command injection when user input is not sanitized.

Attack Vector

An attacker authenticates to the DWR-M920 web interface and submits a crafted POST request to /boafrm/formIMEISetup. The IMEI_value field is populated with a benign IMEI prefix followed by a shell separator and an arbitrary command. The injected payload is then executed by the underlying shell during IMEI configuration processing. Remote exploitation is feasible when the management interface is reachable across the LAN, a misconfigured WAN, or via cross-site request forgery against an authenticated administrator.

No verified exploit code is reproduced here. Technical analysis is published at the GitHub Documentation and VulDB CVE-2026-11341 advisories.

Detection Methods for CVE-2026-11341

Indicators of Compromise

HTTP POST requests to /boafrm/formIMEISetup containing shell metacharacters (;, |, &, `, $() inside the IMEI_value parameter.
Unexpected outbound connections originating from the router to attacker-controlled infrastructure following administrative sessions.
New or modified files in writable firmware paths and unfamiliar processes spawned by the boa web server.

Detection Strategies

Inspect web access logs and network captures for requests to /boafrm/formIMEISetup with non-numeric content in IMEI_value.
Apply intrusion detection signatures that flag shell metacharacters in POST bodies destined for D-Link router management URIs.
Correlate router authentication events with subsequent configuration changes to identify abuse of low-privileged accounts.

Monitoring Recommendations

Forward router syslog and HTTP logs to a centralized analytics platform and alert on anomalous administrative activity.
Baseline expected DNS and outbound traffic from the router and alert on deviations indicative of command execution.
Monitor for unauthorized changes to firmware version, DNS settings, and administrative credentials.

How to Mitigate CVE-2026-11341

Immediate Actions Required

Restrict access to the DWR-M920 web management interface to trusted management VLANs only and disable WAN-side administration.
Rotate administrative credentials and remove unused low-privileged accounts that could be leveraged to reach /boafrm/formIMEISetup.
Audit recent configuration changes and inspect the device for signs of unauthorized command execution.

Patch Information

No vendor-supplied firmware patch is referenced in the published advisories at the time of NVD publication on 2026-06-05. Monitor the D-Link Official Website for firmware updates addressing the formIMEISetup handler. Refer to the VulDB CVE-2026-11341 entry for tracking updates.

Workarounds

Place the router behind a firewall and block inbound access to TCP ports used by the web management interface from untrusted networks.
Enforce strong, unique administrator passwords and disable any guest or default low-privilege accounts that can authenticate to the web UI.
Where feasible, replace end-of-support DWR-M920 hardware with a currently supported model that receives active firmware maintenance.

bash

# Configuration example: restrict router management to a trusted subnet
# (apply on upstream firewall, replace 10.10.10.0/24 with your mgmt network)
iptables -A FORWARD -p tcp -d <router_ip> --dport 80  -s 10.10.10.0/24 -j ACCEPT
iptables -A FORWARD -p tcp -d <router_ip> --dport 443 -s 10.10.10.0/24 -j ACCEPT
iptables -A FORWARD -p tcp -d <router_ip> --dport 80  -j DROP
iptables -A FORWARD -p tcp -d <router_ip> --dport 443 -j DROP