CVE-2026-11339
MediumCVSS 6.3Exploitation Probability (EPSS)
Elevated risk68th percentile - higher than 68% of all known CVEs
Summary
A vulnerability was detected in D-Link DWR-M920 up to version 1.1.50. Manipulation of the ussdValue argument in the sub_41CF20 function leads to command injection, allowing for remote attacks.
Risk Assessment
The organization is exposed to remote attacks that could result in unauthorized command execution on the device.
Recommendation
It is recommended to update the device to the latest firmware version to mitigate this vulnerability.
Original NVD description (English source)
A vulnerability was detected in D-Link DWR-M920 up to 1.1.50. The affected element is the function sub_41CF20 of the file /boafrm/formUSSDSetup. The manipulation of the argument ussdValue results in command injection. It is possible to launch the attack remotely. The exploit is now public and may be used.

