CVE-2025-15191

Name of the Vulnerable Software and Affected Versions D-Link DWR-M920 versions up to 1.1.50

Description A flaw exists in D-Link DWR-M920 devices running versions up to 1.1.50. This issue involves the manipulation of the fota url argument within the sub 4155B4 function located in the file /boafrm/formLtefotaUpgradeFibocom, leading to command injection. Remote exploitation is possible. The exploit has been publicly released and could be used to compromise systems.

Recommendations Versions prior to 1.1.50 should be updated. As a temporary workaround, consider restricting access to the /boafrm/formLtefotaUpgradeFibocom file to minimize the risk of exploitation. Avoid using the fota url parameter until the issue is resolved.