CVE-2026-1624 identifies a command injection vulnerability in the D-Link DWR-M961 router, specifically firmware version 1.1.47. The vulnerability arises from improper sanitization of the 'fota_url' parameter in a function related to the LTE firmware over-the-air (FOTA) upgrade process, located at the /boafrm/formLtefotaUpgradeFibocom endpoint. By crafting a malicious request that manipulates this parameter, an unauthenticated remote attacker can inject arbitrary system commands, potentially gaining control over the device or disrupting its operation. The vulnerability does not require user interaction or prior authentication, increasing its risk profile. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:L, indicating low privileges but not none), no user interaction (UI:N), and partial impacts on confidentiality, integrity, and availability (VC:L, VI:L, VA:L). Although the CVSS score is medium (5.3), the ability to execute commands remotely on a network device is significant. No patches or firmware updates have been linked yet, and no known exploits are reported in the wild, but public disclosure increases the risk of exploitation attempts. The vulnerability affects only version 1.1.47 of the DWR-M961, a 4G LTE router commonly used in various regions for broadband connectivity. The lack of authentication and remote exploitability make this a critical concern for network security, especially in environments where these routers are deployed at scale or in sensitive roles.

The primary impact of CVE-2026-1624 is the potential for remote command execution on affected D-Link DWR-M961 routers, which can lead to full device compromise. Attackers could manipulate router configurations, intercept or redirect network traffic, launch further attacks within the internal network, or cause denial of service by disrupting router functionality. This undermines the confidentiality, integrity, and availability of network communications relying on the device. Organizations using these routers in enterprise, industrial, or critical infrastructure settings could face significant operational disruptions and data breaches. The vulnerability’s remote and unauthenticated nature increases the attack surface, especially if the device management interface is exposed to untrusted networks. While no active exploitation is reported, the public disclosure and ease of exploitation elevate the risk of future attacks. The medium CVSS score reflects partial impacts and some required privileges, but the real-world consequences could be severe depending on deployment context.

Immediate mitigation should focus on restricting access to the vulnerable endpoint by implementing network-level controls such as firewall rules or access control lists to block external or untrusted network access to the router’s management interface, especially the /boafrm/formLtefotaUpgradeFibocom path. Administrators should monitor network traffic for suspicious requests targeting the 'fota_url' parameter and implement intrusion detection/prevention systems with signatures for command injection attempts. Until an official firmware patch is released by D-Link, consider isolating affected devices from critical network segments and disabling remote management features if possible. Regularly check for firmware updates from D-Link and apply them promptly once available. Additionally, conduct security audits of all deployed DWR-M961 routers to identify and remediate vulnerable versions. Employ network segmentation and least privilege principles to limit the impact of any potential compromise. Finally, educate network operators about this vulnerability and encourage vigilance for unusual router behavior or network anomalies.