Cyber Posture

CVE-2026-2169

MediumPublic PoC

Published: 08 February 2026

Published
08 February 2026
Modified
11 February 2026
KEV Added
Patch
CVSS Score 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.0009 26.2th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-2169 is a medium-severity Injection (CWE-74) vulnerability in Dlink Dwr-M921 Firmware. Its CVSS base score is 6.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 26.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly prevents command injection by enforcing validation of the fota_url argument in the vulnerable endpoint.

SI-2 Flaw Remediation good match
prevent

Ensures timely remediation of the specific command injection flaw in D-Link DWR-M921 firmware version 1.1.50.

AC-6 Least Privilege partial match
prevent

Limits the scope and impact of arbitrary commands injected via fota_url by enforcing least privilege on the affected process.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
attack.mitre.org →
Why these techniques?

Command injection vulnerability in a web form of a public-facing network device application enables remote exploitation (T1190) and arbitrary Unix shell command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

A vulnerability has been found in D-Link DWR-M921 1.1.50. This impacts an unknown function of the file /boafrm/formLtefotaUpgradeFibocom. Such manipulation of the argument fota_url leads to command injection. It is possible to launch the attack remotely. The exploit has been…

more

disclosed to the public and may be used.

Deeper analysisAI

CVE-2026-2169 is a command injection vulnerability affecting D-Link DWR-M921 version 1.1.50. The flaw impacts an unknown function within the file /boafrm/formLtefotaUpgradeFibocom, where manipulation of the fota_url argument enables injection of arbitrary commands. It is classified under CWE-74 and CWE-77, with a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).

The vulnerability is exploitable remotely by attackers possessing low privileges, requiring low attack complexity and no user interaction. Successful exploitation grants limited access to execute commands, potentially resulting in low-level impacts to confidentiality, integrity, and availability on the targeted device.

Advisories and details are documented on VulDB (ctiid.344871, id.344871, submit.748930) and a GitHub issue at LX-66-LX/cve-new/issues/3, with a reference to the D-Link website. The exploit has been publicly disclosed and may be used by attackers.

Details

CWE(s)
CWE-74CWE-77

Affected Products

dlink
dwr-m921 firmware
1.1.50

CVEs Like This One

CVE-2026-2085Same product: Dlink Dwr-M921
CVE-2026-2168Same product: Dlink Dwr-M921
CVE-2026-4197Same vendor: Dlink
CVE-2025-10628Same vendor: Dlink
CVE-2026-4196Same vendor: Dlink
CVE-2026-4206Same vendor: Dlink
CVE-2025-1800Same vendor: Dlink
CVE-2026-1625Same vendor: Dlink
CVE-2026-2218Same vendor: Dlink
CVE-2026-4209Same vendor: Dlink

References