CVE-2026-1625 is a command injection vulnerability identified in the D-Link DWR-M961 router, firmware version 1.1.47. The flaw resides in the function sub_4250E0 within the /boafrm/formSmsManage component, which handles SMS message management. By manipulating the 'action_value' argument, an attacker can inject arbitrary commands that the system executes, leading to remote code execution. The vulnerability requires no user interaction and no authentication, making it remotely exploitable over the network. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:L), no user interaction (UI:N), and partial impacts on confidentiality, integrity, and availability (VC:L, VI:L, VA:L). The exploit is publicly available, increasing the likelihood of exploitation, although no active exploitation has been reported yet. The vulnerability affects the device's core management interface, potentially allowing attackers to take control of the router, disrupt network services, intercept or manipulate traffic, and pivot to internal networks. No official patches or updates have been released at the time of publication, and no mitigations are documented by the vendor. This vulnerability highlights the risks associated with embedded device management interfaces, especially those exposed to untrusted networks or the internet.

The impact of CVE-2026-1625 is significant for organizations relying on the D-Link DWR-M961 router. Successful exploitation allows remote attackers to execute arbitrary commands on the device without authentication, compromising device integrity and availability. Attackers could disrupt network connectivity, intercept or alter network traffic, or use the compromised router as a foothold for further attacks within the internal network. This can lead to data breaches, service outages, and loss of control over critical network infrastructure. Given the router's role in managing SMS messages, attackers might also exploit this vector to manipulate communication or trigger additional attacks. The public availability of the exploit increases the risk of widespread attacks, especially in environments where the device is exposed to untrusted networks. Organizations with limited network segmentation or weak perimeter defenses are particularly vulnerable. The medium CVSS score reflects partial impact and some attack complexity, but the lack of authentication and user interaction requirements elevate the threat level. Without timely mitigation, this vulnerability could be leveraged for espionage, sabotage, or ransomware delivery.

To mitigate CVE-2026-1625 effectively, organizations should implement the following specific measures: 1) Immediately restrict access to the router's management interfaces, especially the SMS management component, by limiting access to trusted IP addresses and disabling remote management over the internet if not required. 2) Disable the SMS message management feature entirely if it is not in use to eliminate the attack surface. 3) Employ network segmentation to isolate the router from critical internal networks, reducing the impact of a compromised device. 4) Monitor network traffic for unusual command execution patterns or unexpected outbound connections originating from the router. 5) Implement strict firewall rules to block unauthorized inbound traffic targeting the router's management ports. 6) Regularly audit device firmware versions and configurations to ensure compliance with security best practices. 7) Engage with D-Link support channels to obtain information on forthcoming patches or firmware updates addressing this vulnerability and apply them promptly once available. 8) Consider deploying intrusion detection or prevention systems capable of recognizing exploitation attempts targeting this vulnerability. These targeted actions go beyond generic advice by focusing on the specific vulnerable component and attack vector.