CVE-2026-2169
Published: 08 February 2026
Description
Adversaries may abuse Unix shell commands and scripts for execution.
Security Summary
CVE-2026-2169 is a command injection vulnerability affecting D-Link DWR-M921 version 1.1.50. The flaw impacts an unknown function within the file /boafrm/formLtefotaUpgradeFibocom, where manipulation of the fota_url argument enables injection of arbitrary commands. It is classified under CWE-74 and CWE-77, with a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).
The vulnerability is exploitable remotely by attackers possessing low privileges, requiring low attack complexity and no user interaction. Successful exploitation grants limited access to execute commands, potentially resulting in low-level impacts to confidentiality, integrity, and availability on the targeted device.
Advisories and details are documented on VulDB (ctiid.344871, id.344871, submit.748930) and a GitHub issue at LX-66-LX/cve-new/issues/3, with a reference to the D-Link website. The exploit has been publicly disclosed and may be used by attackers.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Command injection vulnerability in a web form of a public-facing network device application enables remote exploitation (T1190) and arbitrary Unix shell command execution (T1059.004).