CVE-2025-15191 identifies a command injection vulnerability in the D-Link DWR-M920 LTE router series, specifically in firmware versions up to 1.1.50. The vulnerability resides in the function sub_4155B4 of the /boafrm/formLtefotaUpgradeFibocom component, where the fota_url parameter is improperly sanitized. This flaw allows an attacker to inject arbitrary commands remotely without requiring authentication or user interaction. The attack vector is network-based, exploiting the router's firmware upgrade mechanism by manipulating the URL parameter used for firmware over-the-air (FOTA) updates. Successful exploitation can lead to arbitrary code execution with the privileges of the affected process, potentially compromising the device's integrity and availability. The vulnerability has a CVSS 4.0 base score of 5.3, indicating medium severity, reflecting the ease of exploitation but limited scope of impact. Although no active exploitation has been reported, a public exploit exists, increasing the likelihood of future attacks. The vulnerability affects a wide range of firmware versions (1.1.0 through 1.1.50), indicating a long-standing issue. The lack of authentication and user interaction requirements makes this a significant risk for exposed devices. The router is commonly used in LTE network environments, often in small office/home office (SOHO) or remote connectivity scenarios, making it a critical point of failure if compromised.

For European organizations, this vulnerability poses a risk of unauthorized remote code execution on D-Link DWR-M920 routers, potentially leading to full device compromise. This can result in disruption of internet connectivity, interception or manipulation of network traffic, and use of the device as a pivot point for further attacks within the network. Critical infrastructure relying on LTE connectivity, such as remote offices, industrial IoT deployments, or emergency communication setups, could face operational outages or data breaches. The medium severity score reflects moderate impact, but the ease of exploitation and lack of authentication requirements elevate the threat level. Organizations in sectors like telecommunications, manufacturing, and public services that deploy these routers are particularly vulnerable. Additionally, compromised routers could be recruited into botnets, amplifying broader cyber threats. The absence of patches at the time of reporting increases exposure, necessitating immediate mitigation efforts.

1. Monitor D-Link's official channels for firmware updates addressing CVE-2025-15191 and apply patches promptly once available. 2. Restrict network access to the router's management and firmware upgrade interfaces using firewall rules or network segmentation to limit exposure to untrusted networks. 3. Disable remote management and FOTA features if not required or if alternative secure update mechanisms exist. 4. Employ intrusion detection/prevention systems (IDS/IPS) to monitor and block suspicious traffic targeting the vulnerable endpoint. 5. Conduct regular audits of router configurations and firmware versions across the organization to identify and remediate vulnerable devices. 6. For critical deployments, consider replacing affected routers with models not impacted by this vulnerability or with better security postures. 7. Educate network administrators about the risks of command injection vulnerabilities and the importance of timely patching and access controls. 8. Implement network anomaly detection to identify unusual command execution patterns or traffic indicative of exploitation attempts.