CVE-2026-2085 is a command injection vulnerability identified in the D-Link DWR-M921 router firmware version 1.1.50. The vulnerability resides in the USSD Configuration Endpoint, specifically in the function sub_419F20 within the /boafrm/formUSSDSetup component. The issue arises from improper sanitization of the ussdValue parameter, allowing an attacker to inject arbitrary OS commands remotely. The attack vector is network-based and does not require user interaction or authentication, making it highly accessible to remote attackers. The vulnerability has a CVSS 4.0 base score of 8.6, indicating high severity, with network attack vector, low attack complexity, no privileges required, and no user interaction needed. The impact metrics indicate high confidentiality, integrity, and availability impacts, meaning an attacker could fully compromise the device, execute arbitrary commands, manipulate configurations, and disrupt network services. Although no known exploits are currently active in the wild, the public disclosure of the vulnerability increases the likelihood of exploitation attempts. The DWR-M921 is a 4G LTE router commonly used in small to medium business and residential environments, often deployed in regions with limited wired infrastructure. The vulnerability's exploitation could allow attackers to gain persistent control over the device, intercept or redirect traffic, or use the device as a foothold for further attacks within the network. No official patches or mitigation instructions have been published at the time of this report, necessitating immediate defensive measures.

The impact of CVE-2026-2085 is significant for organizations using the D-Link DWR-M921 router. Successful exploitation can lead to complete device compromise, allowing attackers to execute arbitrary commands with high privileges. This can result in unauthorized access to internal networks, interception or manipulation of network traffic, disruption of network availability, and potential lateral movement to other connected systems. For businesses relying on these routers for critical connectivity, especially in remote or branch locations, this vulnerability poses a risk to operational continuity and data confidentiality. Additionally, compromised routers can be leveraged as part of botnets or for launching further attacks, amplifying the threat landscape. The lack of authentication and user interaction requirements lowers the barrier for exploitation, increasing the risk of widespread attacks if the vulnerability is weaponized. The absence of patches further exacerbates the threat, leaving affected devices exposed until mitigations or updates are applied.

Given the absence of an official patch, organizations should implement immediate compensating controls. First, restrict network access to the router's management interfaces by applying firewall rules to limit connections to trusted IP addresses only. Disable remote management features if not required, especially those exposing the USSD Configuration Endpoint. Monitor network traffic for unusual or suspicious activity indicative of command injection attempts. Employ network segmentation to isolate vulnerable devices from critical infrastructure and sensitive data. Regularly audit device configurations and logs for signs of compromise. If possible, upgrade to a newer firmware version once available or consider replacing affected devices with models not susceptible to this vulnerability. Additionally, inform users and administrators about the risk and enforce strict access controls and strong authentication mechanisms on all network devices. Engage with D-Link support channels to obtain updates or guidance on remediation. Finally, maintain up-to-date intrusion detection and prevention systems capable of recognizing exploitation attempts targeting this vulnerability.