📄 Description (English)
A vulnerability has been found in D-Link DWR-M960 1.01.07. This vulnerability affects the function sub_462590 of the file /boafrm/formOpMode of the component Operation Mode Configuration Endpoint. The manipulation of the argument submit-url leads to stack-based buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
🤖 AI Executive Summary
A critical stack-based buffer overflow vulnerability exists in D-Link DWR-M960 router firmware version 1.01.07, affecting the Operation Mode Configuration endpoint. The vulnerability allows remote attackers to execute arbitrary code by manipulating the submit-url parameter. With a CVSS score of 8.8 and publicly disclosed exploit code, this poses an immediate threat to organizations using this router model across Saudi Arabia.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Apr 23, 2026 01:05
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability primarily impacts Saudi telecommunications providers (STC, Mobily, Zain) and ISPs that deploy DWR-M960 routers in customer networks. Government agencies and critical infrastructure operators using these devices for network access are at significant risk. Banking sector organizations with branch connectivity through these routers face potential compromise of network integrity. Healthcare facilities and ARAMCO-affiliated entities using this equipment for remote access could experience service disruption and data exfiltration. The vulnerability enables complete device compromise, allowing attackers to intercept traffic, establish persistent backdoors, and pivot into internal networks.
🏢 Affected Saudi Sectors
Telecommunications (STC, Mobily, Zain)
Internet Service Providers
Government Agencies
Banking and Financial Services
Healthcare
Energy (ARAMCO and affiliates)
Critical Infrastructure
Education
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
8.9
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all DWR-M960 devices running firmware 1.01.07 in your network using network scanning tools
2. Isolate affected devices from critical network segments if patching cannot be completed immediately
3. Implement network-level access controls restricting access to the /boafrm/formOpMode endpoint
4. Monitor for exploitation attempts using IDS/IPS signatures
PATCHING GUIDANCE:
1. Check D-Link support portal for firmware version 1.01.08 or later
2. Download firmware from official D-Link Saudi Arabia support channels only
3. Perform firmware update during maintenance windows with rollback capability
4. Verify firmware integrity using provided checksums before deployment
5. Test in lab environment before production deployment
COMPENSATING CONTROLS (if patch unavailable):
1. Restrict administrative access to router management interface via firewall rules
2. Disable remote management features if not required
3. Implement network segmentation to limit router access to authorized personnel only
4. Deploy WAF rules to block malicious submit-url payloads
5. Enable detailed logging on router access attempts
DETECTION RULES:
1. Monitor HTTP POST requests to /boafrm/formOpMode with oversized submit-url parameters (>256 bytes)
2. Alert on stack-based buffer overflow patterns in router logs
3. Track firmware version changes on DWR-M960 devices
4. Monitor for unusual process execution on router devices
5. Implement SNORT/Suricata rule: alert http any any -> any any (msg:"D-Link DWR-M960 Buffer Overflow Attempt"; content:"/boafrm/formOpMode"; content:"submit-url"; distance:0; within:100; pcre:"/submit-url=.{256,}/"; sid:1000001;)
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تحديد جميع أجهزة DWR-M960 التي تعمل بالإصدار 1.01.07 في شبكتك باستخدام أدوات المسح
2. عزل الأجهزة المتأثرة عن القطاعات الحرجة إذا لم يكن التحديث ممكناً فوراً
3. تطبيق عناصر تحكم الوصول على مستوى الشبكة لتقييد الوصول إلى نقطة النهاية
4. مراقبة محاولات الاستغلال باستخدام توقيعات IDS/IPS
إرشادات التصحيح:
1. التحقق من بوابة دعم D-Link للحصول على الإصدار 1.01.08 أو أحدث
2. تحميل البرنامج الثابت من قنوات الدعم الرسمية فقط
3. إجراء تحديث البرنامج الثابت خلال نوافذ الصيانة
4. التحقق من سلامة البرنامج الثابت قبل النشر
5. الاختبار في بيئة معملية قبل النشر الإنتاجي
عناصر التحكم البديلة:
1. تقييد الوصول الإداري إلى واجهة إدارة الجهاز عبر قواعد جدار الحماية
2. تعطيل ميزات الإدارة البعيدة إذا لم تكن مطلوبة
3. تطبيق تقسيم الشبكة لتحديد الوصول
4. نشر قواعد WAF لحظر الحمولات الضارة
5. تفعيل السجلات التفصيلية
قواعد الكشف:
1. مراقبة طلبات HTTP POST إلى /boafrm/formOpMode بمعاملات submit-url كبيرة
2. التنبيه على أنماط تجاوز المخزن المؤقت
3. تتبع تغييرات إصدار البرنامج الثابت
4. مراقبة تنفيذ العمليات غير العادية
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.12.6.1 - Management of technical vulnerabilities
ECC 2024 A.14.2.1 - Secure development policy
ECC 2024 A.12.2.1 - Monitoring and logging of network access
ECC 2024 A.13.1.3 - Segregation of networks
🔵 SAMA CSF
ID.RA-1 - Asset management and vulnerability identification
PR.IP-12 - Security awareness and training for patch management
DE.CM-1 - Detection and monitoring of network anomalies
RS.MI-2 - Incident response and containment procedures
🟡 ISO 27001:2022
A.12.2.1 - Monitoring and logging of network access
A.12.6.1 - Management of technical vulnerabilities
A.14.2.1 - Secure development and change management
A.13.1.3 - Segregation of networks
🟣 PCI DSS v4.0.1
Requirement 6.2 - Security patches and updates
Requirement 11.2 - Vulnerability scanning and assessment
Requirement 12.2 - Configuration standards for network devices
🔗 References & Sources 5
🔗
https://github.com/LX-66-LX/cve-new/issues/22
cna@vuldb.com
Exploit
Issue Tracking
Third Party Advisory
🔗
https://vuldb.com/?ctiid.347274
cna@vuldb.com
Permissions Required
VDB Entry
🔗
https://vuldb.com/?id.347274
cna@vuldb.com
Third Party Advisory
VDB Entry
🔗
https://vuldb.com/?submit.754499
cna@vuldb.com
Third Party Advisory
VDB Entry
🔗
https://www.dlink.com/
cna@vuldb.com
Product
📦 Affected Products / CPE 1 entries
dlink:dwr-m960_firmware:1.01.07