📄 Description (English)
A vulnerability was detected in D-Link DWR-M960 1.01.07. Affected by this issue is the function sub_42B5A0 of the file /boafrm/formBridgeVlan of the component Bridge VLAN Configuration Endpoint. Performing a manipulation of the argument submit-url results in stack-based buffer overflow. The attack can be initiated remotely. The exploit is now public and may be used.
🤖 AI Executive Summary
A critical stack-based buffer overflow vulnerability exists in D-Link DWR-M960 router firmware (v1.01.07) affecting the Bridge VLAN configuration endpoint. Remote attackers can exploit this via the submit-url parameter to achieve arbitrary code execution without authentication. With public exploits available and widespread router deployment in Saudi networks, immediate patching is essential to prevent unauthorized access and network compromise.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Apr 23, 2026 01:03
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability poses severe risk to Saudi telecommunications infrastructure (STC, Mobily, Zain), government networks (NCA, CITC), and enterprise networks using D-Link DWR-M960 routers as edge devices. Banking sector (SAMA-regulated institutions) faces risk if routers are deployed in branch networks or as VPN gateways. Energy sector (ARAMCO, utilities) and healthcare organizations using these routers for network segmentation are at critical risk. The unauthenticated remote code execution capability enables lateral movement into internal networks, potentially compromising SCADA systems and sensitive data repositories.
🏢 Affected Saudi Sectors
Telecommunications (STC, Mobily, Zain)
Government (NCA, CITC, Ministry networks)
Banking and Financial Services (SAMA-regulated)
Energy (ARAMCO, utilities, SCADA networks)
Healthcare
Enterprise Networks
ISP and Network Service Providers
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
9.2
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all D-Link DWR-M960 devices running firmware v1.01.07 using network scanning tools (nmap, Shodan queries)
2. Isolate affected routers from production networks or restrict access to trusted administrative IPs only
3. Disable remote management features (HTTP/HTTPS access from WAN) immediately
4. Change default credentials and implement strong authentication
PATCHING:
5. Download latest firmware from D-Link support portal (verify digital signatures)
6. Schedule maintenance windows for firmware updates on all affected devices
7. Test updates in lab environment before production deployment
8. Document all patched devices and maintain inventory
COMPENSATING CONTROLS (if patching delayed):
9. Deploy WAF rules blocking requests to /boafrm/formBridgeVlan endpoint
10. Implement network segmentation isolating router management interfaces
11. Monitor for suspicious Bridge VLAN configuration requests
12. Enable router logging and forward logs to SIEM
DETECTION:
13. IDS/IPS signatures: Alert on POST requests to /boafrm/formBridgeVlan with oversized submit-url parameters
14. Monitor for stack overflow indicators: abnormal process behavior, memory access violations
15. Log all administrative access attempts to router interfaces
16. Implement behavioral analysis for unexpected code execution from router processes
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تحديد جميع أجهزة D-Link DWR-M960 التي تعمل بالإصدار 1.01.07 باستخدام أدوات المسح الشبكي
2. عزل الموجهات المتأثرة عن الشبكات الإنتاجية أو تقييد الوصول إلى عناوين IP إدارية موثوقة فقط
3. تعطيل ميزات الإدارة البعيدة (الوصول HTTP/HTTPS من WAN) فوراً
4. تغيير بيانات الاعتماد الافتراضية وتنفيذ مصادقة قوية
التصحيح:
5. تحميل أحدث البرامج الثابتة من بوابة دعم D-Link (التحقق من التوقيعات الرقمية)
6. جدولة نوافذ الصيانة لتحديثات البرامج الثابتة على جميع الأجهزة المتأثرة
7. اختبار التحديثات في بيئة المختبر قبل النشر الإنتاجي
8. توثيق جميع الأجهزة المصححة والحفاظ على المخزون
الضوابط البديلة (إذا تأخر التصحيح):
9. نشر قواعد WAF لحجب الطلبات إلى نقطة نهاية /boafrm/formBridgeVlan
10. تنفيذ تقسيم الشبكة لعزل واجهات إدارة الموجه
11. مراقبة الطلبات المريبة لتكوين Bridge VLAN
12. تفعيل تسجيل الموجه وإعادة توجيه السجلات إلى SIEM
الكشف:
13. توقيعات IDS/IPS: تنبيهات على طلبات POST إلى /boafrm/formBridgeVlan مع معاملات submit-url كبيرة الحجم
14. مراقبة مؤشرات تجاوز المكدس: سلوك العملية غير الطبيعي، انتهاكات الوصول إلى الذاكرة
15. تسجيل جميع محاولات الوصول الإداري إلى واجهات الموجه
16. تنفيذ التحليل السلوكي لتنفيذ الكود غير المتوقع من عمليات الموجه
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.8.1 - Asset Management and Inventory Control
ECC 2024 A.12.6 - Change Management
ECC 2024 A.14.2 - System Hardening and Configuration Management
ECC 2024 A.16.1 - Incident Response and Management
🔵 SAMA CSF
SAMA CSF ID.AM-1 - Physical and Cyber Assets Inventory
SAMA CSF PR.IP-3 - Configuration and Change Management
SAMA CSF DE.CM-1 - Network Monitoring and Detection
SAMA CSF RS.RP-1 - Response Planning
🟡 ISO 27001:2022
ISO 27001:2022 A.5.19 - Inventory of Information and Other Assets
ISO 27001:2022 A.8.1 - User Endpoint Devices
ISO 27001:2022 A.8.2 - Privileged Access Rights
ISO 27001:2022 A.8.6 - Access Control for Change of Privileges
🟣 PCI DSS v4.0.1
PCI DSS 1.1 - Firewall Configuration Standards
PCI DSS 2.1 - Default Passwords and Security Parameters
PCI DSS 6.2 - Security Patches and Updates
🔗 References & Sources 5
🔗
https://github.com/LX-66-LX/cve-new/issues/20
cna@vuldb.com
Exploit
Issue Tracking
Third Party Advisory
🔗
https://vuldb.com/?ctiid.347272
cna@vuldb.com
Permissions Required
VDB Entry
🔗
https://vuldb.com/?id.347272
cna@vuldb.com
Third Party Advisory
VDB Entry
🔗
https://vuldb.com/?submit.754497
cna@vuldb.com
Third Party Advisory
VDB Entry
🔗
https://www.dlink.com/
cna@vuldb.com
Product
📦 Affected Products / CPE 1 entries
dlink:dwr-m960_firmware:1.01.07