CVE-2026-1625 is a command injection vulnerability identified in the D-Link DWR-M961 router, version 1.1.47. The vulnerability resides in the SMS Message component, specifically within the function sub_4250E0 located in the /boafrm/formSmsManage endpoint. An attacker can manipulate the action_value parameter to inject and execute arbitrary system commands remotely. This vulnerability does not require user authentication or interaction, making it accessible to remote unauthenticated attackers over the network. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:L, indicating low privileges but not none), no user interaction (UI:N), and low impact on confidentiality, integrity, and availability (VC:L, VI:L, VA:L). The exploitability is enhanced by the lack of required user interaction and the remote nature of the attack. Although no public patches or fixes are currently available, the exploit code has been made public, increasing the risk of exploitation. The vulnerability could allow attackers to execute arbitrary commands on the device, potentially leading to device compromise, unauthorized access to network traffic, or disruption of network services. The DWR-M961 is a 4G LTE router commonly used in enterprise and telecom environments for mobile broadband connectivity, making this vulnerability significant for organizations relying on this hardware for critical communications.

For European organizations, the impact of CVE-2026-1625 can be substantial, particularly for those using the D-Link DWR-M961 router in their network infrastructure. Successful exploitation could lead to unauthorized command execution on the device, resulting in compromised device integrity, potential interception or manipulation of network traffic, and disruption of connectivity services. This could affect business continuity, especially for enterprises and telecom providers relying on these routers for mobile broadband access or failover connectivity. The vulnerability could also be leveraged as a foothold for lateral movement within corporate networks, increasing the risk of broader compromise. Given the router’s role in network edge security, exploitation could expose sensitive data or disrupt critical communications. The medium CVSS score reflects moderate impact, but the ease of remote exploitation without authentication elevates the threat level. European organizations in sectors such as telecommunications, finance, and critical infrastructure are particularly at risk due to their reliance on secure and reliable network connectivity.

1. Immediately isolate affected D-Link DWR-M961 devices from untrusted networks to limit exposure. 2. Disable the SMS Message management functionality if it is not required for business operations, as this is the vulnerable component. 3. Implement strict network segmentation and firewall rules to restrict access to the router’s management interfaces, especially from external networks. 4. Monitor network traffic and device logs for unusual commands or activity indicative of exploitation attempts. 5. Employ intrusion detection/prevention systems (IDS/IPS) tuned to detect command injection patterns targeting the /boafrm/formSmsManage endpoint. 6. Engage with D-Link support or authorized vendors to obtain firmware updates or patches as soon as they become available. 7. Consider replacing vulnerable devices with models that have received security updates if patching is not feasible. 8. Educate network administrators about the vulnerability and ensure secure configuration practices are followed. 9. Regularly audit device firmware versions and configurations to ensure compliance with security policies. 10. Prepare incident response plans to quickly address potential exploitation scenarios involving this vulnerability.