Cyber Resilience

CVE-2026-1596

Medium

Published: 29 January 2026

Published
29 January 2026
Modified
10 February 2026
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0165 73.5th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-1596 is a medium-severity Injection (CWE-74) vulnerability in Dlink Dwr-M961 Firmware. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 26.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-1596 is a command injection vulnerability affecting the D-Link DWR-M961 router on firmware version 1.1.47. The flaw exists in the function sub_419920 within the file /boafrm/formLtefotaUpgradeQuectel, where manipulation of the fota_url argument enables command injection. It is associated with CWEs-74 and CWE-77 and received a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), published on 2026-01-29.

The vulnerability is exploitable remotely by an attacker possessing low privileges. Successful exploitation allows command injection, resulting in low impacts to confidentiality, integrity, and availability, such as limited data exposure, modification, or denial of service on the affected device.

Advisories and additional details are documented in references including VULDB entries (https://vuldb.com/?ctiid.343358, https://vuldb.com/?id.343358, https://vuldb.com/?submit.740693) and the D-Link website (https://www.dlink.com/). A proof-of-concept exploit is publicly available on GitHub (https://github.com/QIU-DIE/CVE/issues/48) and may be used.

The published exploit indicates potential for real-world exploitation of this router firmware vulnerability.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A flaw has been found in D-Link DWR-M961 1.1.47. This vulnerability affects the function sub_419920 of the file /boafrm/formLtefotaUpgradeQuectel. This manipulation of the argument fota_url causes command injection. The attack is possible to be carried out remotely. The exploit has…

more

been published and may be used.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Command injection in public-facing router firmware directly enables remote exploitation (T1190) and Unix shell command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-1624Same product: Dlink Dwr-M961
CVE-2026-1625Same product: Dlink Dwr-M961
CVE-2026-4204Same vendor: Dlink
CVE-2026-8345Same vendor: Dlink
CVE-2026-4197Same vendor: Dlink
CVE-2026-2085Same vendor: Dlink
CVE-2026-4195Same vendor: Dlink
CVE-2026-1419Same vendor: Dlink
CVE-2026-4206Same vendor: Dlink
CVE-2025-1800Same vendor: Dlink

Affected Assets

dlink
dwr-m961 firmware
1.1.47

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of the fota_url argument to block command injection in sub_419920.

prevent

Mandates timely patching of the published firmware flaw in /boafrm/formLtefotaUpgradeQuectel.

prevent

Limits privileges of the web process handling fota_url so injected commands cannot perform broad actions.

References