Cyber Posture

CVE-2025-15191

MediumPublic PoC

Published: 29 December 2025

Published
29 December 2025
Modified
29 April 2026
KEV Added
Patch
CVSS Score 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.0023 45.6th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Description

A weakness has been identified in D-Link DWR-M920 up to 1.1.50. The affected element is the function sub_4155B4 of the file /boafrm/formLtefotaUpgradeFibocom. This manipulation of the argument fota_url causes command injection. Remote exploitation of the attack is possible. The exploit…

more

has been made available to the public and could be exploited.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly prevents command injection by requiring validation of untrusted inputs like the fota_url argument in the vulnerable function.

SI-2 Flaw Remediation good match
prevent

Mandates timely remediation of the specific flaw in sub_4155B4 through firmware patching for affected D-Link DWR-M920 versions up to 1.1.50.

RA-5 Vulnerability Monitoring and Scanning good match
detect

Enables detection of this publicly disclosed CVE via vulnerability scanning, facilitating prompt patching and mitigation.

Security SummaryAI

CVE-2025-15191 is a command injection vulnerability in D-Link DWR-M920 routers, affecting versions up to 1.1.50. The flaw exists in the function sub_4155B4 within the file /boafrm/formLtefotaUpgradeFibocom, where manipulation of the fota_url argument triggers command injection. It is associated with CWEs-74 and CWE-77 and carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).

Remote exploitation is possible by an attacker possessing low privileges (PR:L), requiring network access with low attack complexity and no user interaction. Successful exploitation enables limited impacts on confidentiality, integrity, and availability, such as executing arbitrary commands within the context of the vulnerable function.

Advisories and references, including GitHub entries at https://github.com/panda666-888/vuls/blob/main/d-link/dwr-m920/formLtefotaUpgradeFibocom.md and its PoC section, along with VulDB pages at https://vuldb.com/?ctiid.338576, https://vuldb.com/?id.338576, and https://vuldb.com/?submit.723554, document the vulnerability and provide a publicly available exploit.

The exploit has been made available to the public, heightening the potential for real-world attacks against unpatched devices.

Details

CWE(s)
CWE-74CWE-77

Affected Products

dlink
dwr-m920 firmware
≤ 1.1.50

MITRE ATT&CK Enterprise TechniquesAI

T1059.008 Network Device CLI Execution
Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.
attack.mitre.org →
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1202 Indirect Command Execution Stealth
Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.
attack.mitre.org →
Why these techniques?

Command injection via web form (fota_url) in public-facing router interface enables remote exploitation of public-facing application (T1190), network device CLI execution (T1059.008), and indirect command execution (T1202) as noted in advisory.

References