HIGHCVE-2026-2085Published 2026-02-07Modified 2026-02-23CNA VulDB

CVE-2026-2085: D-Link DWR-M921 USSD Configuration Endpoint formUSSDSetup sub_419F20 command injection

A security vulnerability has been detected in D-Link DWR-M921 1.1.50. Affected is the function sub_419F20 of the file /boafrm/formUSSDSetup of the component USSD Configuration Endpoint. The manipulation of the argument ussdValue leads to command injection. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used.

CVSS v4.0: 8.6
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

D-Link / DWR-M921
1.1.50

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

References

VDB-344652 | D-Link DWR-M921 USSD Configuration Endpoint formUSSDSetup sub_419F20 command injection
VDB-344652 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #746400 | D-Link DWR-M921 V1.1.50 Command Injection
github.com
github.com
dlink.com

Metrics