CVE-2026-1624 is a command injection vulnerability identified in the D-Link DWR-M961 router, specifically in version 1.1.47. The vulnerability resides in an unknown function within the /boafrm/formLtefotaUpgradeFibocom endpoint, where the 'fota_url' parameter is improperly sanitized, allowing an attacker to inject and execute arbitrary system commands remotely. This flaw can be exploited without authentication or user interaction, making it accessible to any remote attacker with network access to the device. The vulnerability stems from inadequate input validation, permitting command injection through crafted HTTP requests targeting the firmware over-the-air (FOTA) upgrade mechanism. The CVSS 4.0 base score of 5.3 reflects a medium severity, considering the network attack vector, lack of required privileges, and partial impact on confidentiality, integrity, and availability. Although no public patches have been linked yet, the disclosure of the exploit details increases the risk of exploitation. The vulnerability could allow attackers to gain control over the device, disrupt network operations, or pivot to internal networks, compromising broader organizational security. Given the device's role in providing LTE connectivity, exploitation could impact critical communication channels, especially in environments relying on these routers for remote or mobile connectivity.

For European organizations, the impact of CVE-2026-1624 can be significant, particularly for those relying on D-Link DWR-M961 routers for LTE connectivity in enterprise, industrial, or critical infrastructure settings. Successful exploitation could lead to unauthorized command execution, enabling attackers to disrupt network availability, intercept or manipulate data, and potentially establish persistent footholds within internal networks. This could affect confidentiality by exposing sensitive communications, integrity by altering device configurations or data flows, and availability by causing device malfunctions or denial of service. The remote and unauthenticated nature of the exploit increases the risk of widespread attacks, especially in organizations with exposed management interfaces or insufficient network segmentation. The vulnerability could also be leveraged as a stepping stone for lateral movement in corporate or governmental networks, amplifying its potential damage. European telecom providers or enterprises using these devices in field deployments may face operational disruptions and reputational damage if exploited.

To mitigate CVE-2026-1624, affected organizations should prioritize the following actions: 1) Monitor D-Link’s official channels for firmware updates addressing this vulnerability and apply patches immediately upon release. 2) If patches are unavailable, restrict network access to the /boafrm/formLtefotaUpgradeFibocom endpoint by implementing firewall rules or access control lists that limit exposure to trusted management networks only. 3) Disable remote management interfaces on the DWR-M961 devices unless absolutely necessary, and enforce strong authentication mechanisms where remote access is required. 4) Employ network segmentation to isolate LTE routers from critical internal systems, reducing the risk of lateral movement. 5) Conduct regular network traffic monitoring and anomaly detection to identify suspicious requests targeting the vulnerable endpoint. 6) Educate IT staff about the vulnerability and ensure incident response plans include steps for potential exploitation scenarios involving network devices. 7) Consider deploying intrusion prevention systems (IPS) with signatures capable of detecting command injection attempts against this specific endpoint. These targeted measures go beyond generic advice and focus on reducing the attack surface and improving detection capabilities.