CVE-2026-2958 – A stack-based buffer overflow vulnerability in ... (How to Fix)

📋 TL;DR

A stack-based buffer overflow vulnerability in D-Link DWR-M960 routers allows remote attackers to execute arbitrary code by manipulating the save_apply parameter in the formWsc function. This affects D-Link DWR-M960 routers running firmware version 1.01.07. Attackers can exploit this without authentication to potentially take full control of affected devices.

💻 Affected Systems

Products:

D-Link DWR-M960

Versions: 1.01.07

Operating Systems: Embedded Linux (router firmware)

Default Config Vulnerable: ⚠️ Yes

Notes: All devices running the affected firmware version are vulnerable by default. No special configuration is required for exploitation.

📦 What is this software?

Dwr M960 Firmware by Dlink

View all CVEs affecting Dwr M960 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete device compromise, creation of persistent backdoors, lateral movement to internal networks, and botnet recruitment.

🟠

Likely Case

Remote code execution allowing attackers to modify device configuration, intercept network traffic, or use the device as a pivot point for further attacks.

🟢

If Mitigated

Limited impact if devices are behind firewalls with strict inbound filtering and network segmentation prevents lateral movement.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable without authentication and affects internet-facing routers directly exposed to attackers.

🏢 Internal Only: MEDIUM - While still vulnerable, internal-only devices have reduced attack surface but remain at risk from compromised internal systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit details are available, making weaponization likely. The buffer overflow is straightforward to exploit for remote code execution.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.dlink.com/

Restart Required: Yes

Instructions:

1. Check D-Link website for security advisories
2. Download latest firmware if available
3. Upload firmware through router admin interface
4. Reboot router after update

🔧 Temporary Workarounds

Network Segmentation

all

Isolate affected routers in separate network segments to limit potential lateral movement

Access Control Lists

linux

Implement firewall rules to restrict access to router management interfaces

iptables -A INPUT -p tcp --dport 80 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP

🧯 If You Can't Patch

Remove affected devices from internet-facing positions and place behind firewalls
Implement strict network monitoring for unusual traffic patterns from router devices

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in admin interface. If version is 1.01.07, device is vulnerable.

Check Version:

Check via router web interface at http://router_ip/ or using telnet/ssh if enabled

Verify Fix Applied:

Verify firmware version has been updated to a version later than 1.01.07

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to /boafrm/formWsc
Multiple failed authentication attempts followed by successful formWsc access
Router configuration changes from unexpected IP addresses

Network Indicators:

Unusual outbound connections from router to unknown IPs
Traffic patterns suggesting router is participating in DDoS attacks
Port scanning originating from router IP

SIEM Query:

source="router_logs" AND (uri="/boafrm/formWsc" OR message="save_apply")

📊 Metadata

CVE ID: CVE-2026-2958

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-119

Published: February 23, 2026

Last Updated: February 23, 2026

🔗 References

https://github.com/LX-66-LX/cve-new/issues/25 Exploit,Issue Tracking,Third Party Advisory
https://vuldb.com/?ctiid.347325 Permissions Required,VDB Entry
https://vuldb.com/?id.347325 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.754509 Third Party Advisory,VDB Entry
https://www.dlink.com/ Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-2958, you might also want to check these: