CVE-2026-1596

CVSS v2.0

9.0

High

Vector

AV:N/AC:L/Au:S/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions D-Link DWR-M961 version 1.1.47

Description A flaw exists in D-Link DWR-M961 version 1.1.47 that allows for command injection. This issue is related to the sub 419920 function within the /boafrm/formLtefotaUpgradeQuectel file. Manipulation of the fota url argument can lead to remote code execution. An exploit for this issue has been published.

Recommendations Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, restrict access to the /boafrm/formLtefotaUpgradeQuectel file. Avoid using the fota url parameter until the issue is resolved.

Exploit

Fix

Command Injection

Special Elements Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-77CWE-74

Related Identifiers

BDU:2026-02158

CVE-2026-1596

Affected Products

D-Link Dwr-M961

CVE-2026-1596

Weakness Enumeration

Related Identifiers

Affected Products

References · 11