Cyber Resilience

CVE-2026-1625

Medium

Published: 29 January 2026

Published
29 January 2026
Modified
20 February 2026
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0234 81.4th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-1625 is a medium-severity Injection (CWE-74) vulnerability in Dlink Dwr-M961 Firmware. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 18.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-1625 is a command injection vulnerability affecting the D-Link DWR-M961 router on firmware version 1.1.47. The flaw resides in the sub_4250E0 function within the /boafrm/formSmsManage file of the SMS Message component, where manipulation of the action_value argument enables injection. It is classified under CWE-74 and CWE-77, with a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L). The vulnerability was published on 2026-01-29.

An attacker with low privileges can exploit this remotely with low complexity and no user interaction required. Successful exploitation allows arbitrary command execution, resulting in limited impacts to confidentiality, integrity, and availability.

Advisories detail the issue on VulDB (ctiid.343384, id.343384, submit.740792) and a GitHub repository (QIU-DIE/CVE/issues/51), with the vendor site at dlink.com also referenced. The exploit is public and available for use.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A vulnerability was detected in D-Link DWR-M961 1.1.47. The impacted element is the function sub_4250E0 of the file /boafrm/formSmsManage of the component SMS Message. Performing a manipulation of the argument action_value results in command injection. The attack may be initiated…

more

remotely. The exploit is now public and may be used.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Command injection in public-facing router web form (formSmsManage) directly enables remote exploitation (T1190) leading to arbitrary Unix shell command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-1624Same product: Dlink Dwr-M961
CVE-2026-1596Same product: Dlink Dwr-M961
CVE-2026-4204Same vendor: Dlink
CVE-2026-8345Same vendor: Dlink
CVE-2026-4197Same vendor: Dlink
CVE-2026-2085Same vendor: Dlink
CVE-2026-4195Same vendor: Dlink
CVE-2026-1419Same vendor: Dlink
CVE-2026-4206Same vendor: Dlink
CVE-2025-1800Same vendor: Dlink

Affected Assets

dlink
dwr-m961 firmware
1.1.47

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly blocks command injection by validating the action_value argument before it reaches sub_4250E0 in formSmsManage.

prevent

Requires timely remediation of the publicly disclosed flaw in DWR-M961 firmware 1.1.47 to eliminate the injection vector.

prevent

Limits the scope of commands an authenticated low-privilege user can successfully execute after injection succeeds.

References