PT-2026-5307 · D Link · D-Link Dwr-M961

Hhsw34

Publicado

2026-01-29

Atualizado

2026-02-10

CVE-2026-1596

CVSS v2.0

9.0

Alta

Vetor

AV:N/AC:L/Au:S/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions D-Link DWR-M961 version 1.1.47

Description A flaw exists in D-Link DWR-M961 version 1.1.47 that allows for command injection. This issue is related to the sub 419920 function within the /boafrm/formLtefotaUpgradeQuectel file. Manipulation of the fota url argument can lead to remote code execution. An exploit for this issue has been published.

Recommendations Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, restrict access to the /boafrm/formLtefotaUpgradeQuectel file. Avoid using the fota url parameter until the issue is resolved.

Exploit

Correção

Command Injection

Special Elements Injection

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-77CWE-74

Identificadores relacionados

BDU:2026-02158

CVE-2026-1596

Produtos afetados

D-Link Dwr-M961

PT-2026-5307 · D Link · D-Link Dwr-M961

CVE-2026-1596

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 11