📄 Description (English)
A flaw has been found in D-Link DWR-M920 up to 1.1.50. The impacted element is the function sub_412DA0 of the file /boafrm/formIMEISetup. This manipulation of the argument IMEI_value causes os command injection. The attack can be initiated remotely. The exploit has been published and may be used.
🤖 AI Executive Summary
A critical command injection vulnerability exists in D-Link DWR-M920 routers (up to version 1.1.50) affecting the IMEI setup function. An unauthenticated remote attacker can execute arbitrary OS commands through the IMEI_value parameter, potentially compromising router integrity and network security. With no patch currently available and published exploit details, this poses an immediate threat to organizations relying on these devices.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Jun 5, 2026 22:36
🇸🇦 Saudi Arabia Impact Assessment
Saudi telecommunications operators (STC, Mobily, Zain) and government agencies using D-Link DWR-M920 routers for network infrastructure face significant risk. Banking sector organizations using these devices for branch connectivity could experience network compromise. Healthcare facilities and critical infrastructure operators relying on these routers for remote access are particularly vulnerable. The vulnerability allows complete router compromise, enabling lateral movement into internal networks, data interception, and service disruption.
🏢 Affected Saudi Sectors
Telecommunications (STC, Mobily, Zain)
Banking and Financial Services
Government and Public Administration
Healthcare
Energy and Utilities
Critical Infrastructure
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
7.8
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all D-Link DWR-M920 devices in your network using network scanning tools
2. Isolate affected devices from critical network segments if possible
3. Implement network-level access controls restricting access to router management interfaces
4. Monitor router logs for suspicious IMEI_value parameter submissions
COMPENSATING CONTROLS (until patch available):
1. Disable remote management access to the router (/boafrm/formIMEISetup endpoint)
2. Implement WAF rules blocking requests containing special shell characters in IMEI_value parameter
3. Restrict access to router administration interfaces to trusted IP ranges only
4. Enable router authentication and change default credentials immediately
5. Implement network segmentation to limit router compromise impact
DETECTION RULES:
1. Monitor for HTTP POST requests to /boafrm/formIMEISetup with special characters (;|&`$())
2. Alert on IMEI_value parameters containing command injection payloads
3. Monitor router process execution logs for unexpected child processes
4. Track failed and successful authentication attempts to router management interface
PATCHING:
1. Contact D-Link support for security updates
2. Check D-Link security advisories regularly for patch availability
3. Prepare upgrade plan for firmware versions beyond 1.1.50 when available
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تحديد جميع أجهزة D-Link DWR-M920 في شبكتك باستخدام أدوات المسح
2. عزل الأجهزة المتأثرة عن القطاعات الحرجة في الشبكة إن أمكن
3. تطبيق عناصر التحكم في الوصول على مستوى الشبكة لتقييد الوصول إلى واجهات إدارة جهاز التوجيه
4. مراقبة سجلات جهاز التوجيه للبحث عن عمليات إرسال معاملات IMEI_value المريبة
عناصر التحكم التعويضية (حتى توفر التصحيح):
1. تعطيل الوصول الإداري البعيد إلى جهاز التوجيه
2. تطبيق قواعد جدار الحماية لحجب الطلبات التي تحتوي على أحرف shell خاصة
3. تقييد الوصول إلى واجهات إدارة جهاز التوجيه على نطاقات IP موثوقة فقط
4. تفعيل المصادقة وتغيير بيانات الاعتماد الافتراضية فوراً
5. تطبيق تقسيم الشبكة لتحديد تأثير اختراق جهاز التوجيه
قواعد الكشف:
1. مراقبة طلبات HTTP POST إلى /boafrm/formIMEISetup بأحرف خاصة
2. التنبيه على معاملات IMEI_value التي تحتوي على حمولات حقن الأوامر
3. مراقبة سجلات تنفيذ العمليات لجهاز التوجيه للعمليات الفرعية غير المتوقعة
4. تتبع محاولات المصادقة الفاشلة والناجحة لواجهة إدارة جهاز التوجيه
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.5.1.1 - Network access control and segmentation
ECC 2024 A.5.2.1 - Secure configuration management
ECC 2024 A.5.3.1 - Vulnerability management and patching
ECC 2024 A.6.2.1 - Monitoring and logging of security events
🔵 SAMA CSF
SAMA CSF ID.BE-1 - Asset management and inventory
SAMA CSF PR.AC-1 - Access control policies and procedures
SAMA CSF PR.IP-12 - Vulnerability management program
SAMA CSF DE.CM-1 - Network monitoring and anomaly detection
🟡 ISO 27001:2022
ISO 27001:2022 A.5.15 - Supplier relationships
ISO 27001:2022 A.8.1 - Asset management
ISO 27001:2022 A.8.6 - Management of technical vulnerabilities
ISO 27001:2022 A.12.6 - Management of technical vulnerabilities
🟣 PCI DSS v4.0.1
PCI DSS 2.4 - Secure configuration of network devices
PCI DSS 6.2 - Vulnerability management program
PCI DSS 11.2 - Vulnerability scanning
🔗 References & Sources 6
🔗
🔗
🔗
🔗
🔗
🔗
https://github.com/7u7777/Dlink/blob/DWR-M920/formIMEISetup.md
cna@vuldb.com
https://vuldb.com/cve/CVE-2026-11341
cna@vuldb.com
https://vuldb.com/submit/832593
cna@vuldb.com
https://vuldb.com/vuln/368882
cna@vuldb.com
https://vuldb.com/vuln/368882/cti
cna@vuldb.com
https://www.dlink.com/
cna@vuldb.com