Cyber Posture

CVE-2026-1624

Medium

Published: 29 January 2026

Published
29 January 2026
Modified
20 February 2026
KEV Added
Patch
CVSS Score 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.0002 5.2th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-1624 is a medium-severity Injection (CWE-74) vulnerability in Dlink Dwr-M961 Firmware. Its CVSS base score is 6.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 5.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique.
Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

SA-11 Developer Testing and Evaluation
addresses: CWE-74

Developer assessments and testing (including injection-focused techniques) identify improper neutralization of special elements, and the verifiable flaw remediation corrects them pre-deployment.

SI-4 System Monitoring
addresses: CWE-74

Identifies indicators of injection attacks (command, SQL, LDAP, etc.) via anomaly and attack monitoring.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
attack.mitre.org →
Why these techniques?

Command injection in public-facing router web interface directly enables remote exploitation (T1190) and arbitrary Unix command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A security vulnerability has been detected in D-Link DWR-M961 1.1.47. The affected element is an unknown function of the file /boafrm/formLtefotaUpgradeFibocom. Such manipulation of the argument fota_url leads to command injection. The attack can be launched remotely. The exploit has…

more

been disclosed publicly and may be used.

Deeper analysisAI

CVE-2026-1624 is a command injection vulnerability in the D-Link DWR-M961 router running firmware version 1.1.47. The issue affects an unknown function within the file /boafrm/formLtefotaUpgradeFibocom, where manipulation of the fota_url argument enables arbitrary command execution. Classified under CWE-74 and CWE-77, it carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) and was published on 2026-01-29.

The vulnerability can be exploited remotely by an attacker with low privileges, such as an authenticated user, requiring no user interaction and low complexity. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, potentially enabling command execution on the device.

Advisories and details are available in references including a GitHub issue at https://github.com/QIU-DIE/CVE/issues/50 and VulDB entries at https://vuldb.com/?ctiid.343383, https://vuldb.com/?id.343383, and https://vuldb.com/?submit.740770, with the vendor site at https://www.dlink.com/ listed for further information on mitigations or patches.

The exploit has been publicly disclosed and may be used in attacks.

Details

CWE(s)
CWE-74CWE-77

Affected Products

dlink
dwr-m961 firmware
1.1.47

CVEs Like This One

CVE-2026-1625Same product: Dlink Dwr-M961
CVE-2026-1596Same product: Dlink Dwr-M961
CVE-2026-4197Same vendor: Dlink
CVE-2025-10628Same vendor: Dlink
CVE-2026-4196Same vendor: Dlink
CVE-2026-4206Same vendor: Dlink
CVE-2026-2085Same vendor: Dlink
CVE-2025-1800Same vendor: Dlink
CVE-2026-2218Same vendor: Dlink
CVE-2026-4209Same vendor: Dlink

References