CVE-2026-1625 Overview
CVE-2026-1625 is a command injection vulnerability affecting D-Link DWR-M961 routers running firmware version 1.1.47. The flaw resides in the sub_4250E0 function within the /boafrm/formSmsManage endpoint, which handles SMS Message component requests. An authenticated remote attacker can manipulate the action_value argument to inject operating system commands that execute in the context of the web server process. The exploit details have been publicly disclosed, increasing the risk of opportunistic attacks against exposed devices. The vulnerability is classified under CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component).
Critical Impact
Authenticated remote attackers can inject arbitrary commands through the SMS management interface, potentially gaining control over the router and the network traffic it processes.
Affected Products
- D-Link DWR-M961 (hardware)
- D-Link DWR-M961 firmware version 1.1.47
- Deployments exposing the /boafrm/formSmsManage endpoint
Discovery Timeline
- 2026-01-29 - CVE-2026-1625 published to the National Vulnerability Database
- 2026-04-29 - Last updated in NVD database
Technical Details for CVE-2026-1625
Vulnerability Analysis
The vulnerability exists in the sub_4250E0 function of the /boafrm/formSmsManage web handler on the DWR-M961 router. This function processes SMS-related actions from the web management interface. When the handler receives a request, it reads the action_value parameter and incorporates it into a downstream command without sanitizing shell metacharacters. An attacker who can reach the management interface and supply a crafted parameter value can break out of the intended command context and execute arbitrary operating system commands. Successful exploitation provides code execution on the embedded Linux platform underneath the router firmware. The vulnerability requires the attacker to be authenticated to the device, limiting unauthenticated remote exploitation but not eliminating risk when default or weak credentials are in use.
Root Cause
The root cause is improper neutralization of special elements in output passed to a downstream component, tracked as CWE-74. The sub_4250E0 function concatenates user-controlled input from action_value into a shell command string without escaping or allow-listing valid characters. Shell metacharacters such as ;, |, &, and backticks are passed directly to the command interpreter.
Attack Vector
The attack vector is network-based. An attacker authenticated to the device sends an HTTP request to /boafrm/formSmsManage containing a malicious action_value parameter. The injected payload is interpreted by the underlying shell when the SMS management routine executes, yielding command execution as the web server user. Refer to the GitHub Issue Discussion and VulDB entry #343384 for additional technical details.
Detection Methods for CVE-2026-1625
Indicators of Compromise
- HTTP POST requests to /boafrm/formSmsManage containing shell metacharacters (;, |, &, `, $()) inside the action_value parameter.
- Unexpected outbound connections originating from the router management plane to attacker-controlled hosts.
- New or modified processes spawned by the boa web server outside of normal firmware behavior.
- Configuration changes to DNS, firewall, or routing tables that do not correspond to administrator activity.
Detection Strategies
- Inspect web server access logs on the router for requests targeting /boafrm/formSmsManage with non-printable characters or command separators in query and body parameters.
- Deploy network intrusion detection signatures that match command injection patterns within action_value POST data toward DWR-M961 management interfaces.
- Baseline expected SMS management activity and alert on requests originating from unfamiliar source addresses or outside maintenance windows.
Monitoring Recommendations
- Monitor management interface exposure and alert when the router web UI becomes reachable from untrusted networks or the WAN.
- Track authentication events on the router and correlate successful logins with subsequent requests to SMS management endpoints.
- Forward router syslog data to a centralized logging platform for retention and anomaly detection across the device fleet.
How to Mitigate CVE-2026-1625
Immediate Actions Required
- Restrict access to the router web management interface to trusted internal management VLANs and block WAN-side access.
- Rotate administrator credentials on all DWR-M961 devices and enforce strong, unique passwords to limit authenticated exploitation paths.
- Disable the SMS management feature where it is not required for operational use cases.
- Inventory all DWR-M961 units running firmware 1.1.47 and prioritize them for remediation.
Patch Information
At the time of NVD publication, D-Link had not published a vendor advisory or fixed firmware build referenced in the CVE record. Administrators should monitor the D-Link Homepage and regional support portals for firmware updates addressing CVE-2026-1625. Apply the corrected firmware to all affected DWR-M961 devices as soon as it becomes available.
Workarounds
- Place the router management interface behind a VPN or jump host so the /boafrm/formSmsManage endpoint is unreachable from general user networks.
- Apply network ACLs on upstream switches or firewalls to drop HTTP and HTTPS traffic destined for the router from untrusted segments.
- Where supported, configure the device to require client certificate authentication or source-IP restrictions for the web UI.
- Replace end-of-life or unmaintained DWR-M961 units with currently supported hardware if no firmware fix is forthcoming.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
