PatchSiren cyber security CVE debrief
CVE-2026-11339 D-Link CVE debrief
A command injection vulnerability was detected in D-Link DWR-M920 up to 1.1.50. The affected element is the function sub_41CF20 of the file /boafrm/formUSSDSetup. The manipulation of the argument ussdValue results in command injection. It is possible to launch the attack remotely. The exploit is now public and may be used.
- Vendor
- D-Link
- Product
- DWR-M920
- CVSS
- LOW 2.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-05
- Original CVE updated
- 2026-06-09
- Advisory published
- 2026-06-05
- Advisory updated
- 2026-06-09
Who should care
Administrators and users of D-Link DWR-M920 up to 1.1.50
Technical summary
The vulnerability has a CVSS score of 2.1 and a CVSS severity of LOW. The CVSS vector is CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X.
Defensive priority
LOW
Recommended defensive actions
- Update to a version of D-Link DWR-M920 firmware that is not vulnerable
- Limit access to the /boafrm/formUSSDSetup file
Evidence notes
The vulnerability was detected in D-Link DWR-M920 up to 1.1.50. The affected element is the function sub_41CF20 of the file /boafrm/formUSSDSetup.
Official resources
-
CVE-2026-11339 CVE record
CVE.org
-
CVE-2026-11339 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Exploit, Mitigation, Third Party Advisory
-
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
-
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
-
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
-
Source reference
[email protected] - Permissions Required, VDB Entry
-
Source reference
[email protected] - Product
CVE-2026-11339 was published on 2026-06-05T17:16:46.193Z and modified on 2026-06-09T16:17:35.963Z.