📄 Description (English)
A vulnerability has been found in D-Link DWR-M960 1.01.07. This vulnerability affects the function sub_425FF8 of the file /boafrm/formFirewallAdv of the component Advanced Firewall Configuration Endpoint. Such manipulation of the argument submit-url leads to stack-based buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
🤖 AI Executive Summary
A critical stack-based buffer overflow vulnerability exists in D-Link DWR-M960 router firmware version 1.01.07 affecting the Advanced Firewall Configuration endpoint. The vulnerability allows remote attackers to execute arbitrary code by manipulating the submit-url parameter, with public exploits already available. This poses an immediate threat to organizations using this router model for network perimeter security.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Apr 22, 2026 23:01
🇸🇦 Saudi Arabia Impact Assessment
Saudi organizations in banking, government, and energy sectors utilizing D-Link DWR-M960 routers for network perimeter security face critical risk. SAMA-regulated financial institutions, NCA government networks, and ARAMCO/energy infrastructure are particularly vulnerable if this router model is deployed. Telecom operators (STC, Mobily, Zain) managing network infrastructure and healthcare facilities using these devices for secure network access are at significant risk. The remote nature of the exploit and availability of public PoC code elevates the threat level for all affected Saudi organizations.
🏢 Affected Saudi Sectors
Banking and Financial Services
Government and Public Administration
Energy and Utilities
Telecommunications
Healthcare
Education
Retail and E-commerce
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
9.2
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all D-Link DWR-M960 devices running firmware 1.01.07 in your network using asset inventory tools
2. Isolate affected routers from critical network segments if immediate patching is not possible
3. Disable remote access to the Advanced Firewall Configuration endpoint (/boafrm/formFirewallAdv) via firewall rules
4. Monitor firewall logs for suspicious submit-url parameter manipulation attempts
PATCHING:
1. Download the latest firmware version from D-Link support portal
2. Apply firmware update immediately following D-Link's documented upgrade procedure
3. Verify successful patch installation by checking firmware version post-update
4. Test firewall functionality after patching to ensure operational continuity
COMPENSATING CONTROLS (if patching delayed):
1. Implement network segmentation restricting access to router management interfaces
2. Deploy WAF/IPS rules blocking malformed submit-url parameters
3. Enable router authentication and disable default credentials
4. Restrict administrative access to specific trusted IP ranges only
DETECTION:
1. Monitor for HTTP POST requests to /boafrm/formFirewallAdv with oversized submit-url parameters
2. Alert on stack overflow patterns in router logs
3. Track failed authentication attempts to router management interface
4. Monitor for unexpected process execution on router devices
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تحديد جميع أجهزة D-Link DWR-M960 التي تعمل بالإصدار 1.01.07 في شبكتك باستخدام أدوات جرد الأصول
2. عزل أجهزة التوجيه المتأثرة عن القطاعات الحرجة في الشبكة إذا لم يكن التصحيح الفوري ممكناً
3. تعطيل الوصول البعيد إلى نقطة نهاية إعدادات جدار الحماية المتقدمة عبر قواعد جدار الحماية
4. مراقبة سجلات جدار الحماية للكشف عن محاولات التلاعب المريبة بمعامل submit-url
التصحيح:
1. تحميل أحدث إصدار من البرنامج الثابت من بوابة دعم D-Link
2. تطبيق تحديث البرنامج الثابت فوراً وفقاً للإجراء الموثق من D-Link
3. التحقق من نجاح تثبيت التصحيح بفحص إصدار البرنامج الثابت بعد التحديث
4. اختبار وظيفة جدار الحماية بعد التصحيح لضمان استمرارية التشغيل
الضوابط البديلة (إذا تأخر التصحيح):
1. تنفيذ تقسيم الشبكة لتقييد الوصول إلى واجهات إدارة جهاز التوجيه
2. نشر قواعد WAF/IPS لحجب معاملات submit-url المشوهة
3. تفعيل المصادقة على جهاز التوجيه وتعطيل بيانات الاعتماد الافتراضية
4. تقييد الوصول الإداري على نطاقات IP موثوقة محددة فقط
الكشف:
1. مراقبة طلبات HTTP POST إلى /boafrm/formFirewallAdv بمعاملات submit-url كبيرة الحجم
2. التنبيه على أنماط تجاوز المكدس في سجلات جهاز التوجيه
3. تتبع محاولات المصادقة الفاشلة لواجهة إدارة جهاز التوجيه
4. مراقبة تنفيذ العمليات غير المتوقعة على أجهزة التوجيه
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.8.1 - Asset Management and Inventory Control
ECC 2024 A.8.2 - Vulnerability Management
ECC 2024 A.8.3 - Patch Management
ECC 2024 A.13.1 - Network Security Controls
ECC 2024 A.14.2 - System Hardening and Configuration Management
🔵 SAMA CSF
SAMA CSF ID.RA-1 - Asset Management
SAMA CSF ID.RA-2 - Vulnerability Management
SAMA CSF PR.IP-12 - Patch Management
SAMA CSF PR.AC-1 - Access Control
SAMA CSF DE.CM-1 - Detection and Analysis
🟡 ISO 27001:2022
ISO 27001:2022 A.5.19 - Vulnerability Management
ISO 27001:2022 A.6.2 - Inventory of Assets
ISO 27001:2022 A.8.2 - Configuration Management
ISO 27001:2022 A.8.7 - Secure Development and Maintenance
ISO 27001:2022 A.12.6 - Management of Technical Vulnerabilities
🟣 PCI DSS v4.0.1
PCI DSS 6.2 - Security Patches and Updates
PCI DSS 11.2 - Vulnerability Scanning
PCI DSS 1.1 - Firewall Configuration Standards
🔗 References & Sources 5
🔗
https://github.com/LX-66-LX/cve-new/issues/15
cna@vuldb.com
Exploit
Issue Tracking
Third Party Advisory
🔗
https://vuldb.com/?ctiid.347175
cna@vuldb.com
Permissions Required
VDB Entry
🔗
https://vuldb.com/?id.347175
cna@vuldb.com
Third Party Advisory
VDB Entry
🔗
https://vuldb.com/?submit.754486
cna@vuldb.com
Third Party Advisory
VDB Entry
🔗
https://www.dlink.com/
cna@vuldb.com
Product
📦 Affected Products / CPE 1 entries
dlink:dwr-m960_firmware:1.01.07