CVE-2026-2085 is a command injection vulnerability identified in the D-Link DWR-M921 router, specifically version 1.1.50. The vulnerability resides in the USSD Configuration Endpoint, within the function sub_419F20 located in the /boafrm/formUSSDSetup resource. The issue arises from improper sanitization or validation of the ussdValue parameter, which an attacker can manipulate to inject arbitrary system commands. Since the vulnerability is remotely exploitable without requiring user interaction or privileges, an attacker can send crafted requests to the affected endpoint over the network to execute arbitrary commands on the device. This can lead to full compromise of the router, allowing attackers to control device functionality, intercept or manipulate network traffic, or pivot into internal networks. The CVSS 4.0 base score of 8.6 reflects the high impact on confidentiality, integrity, and availability, combined with the ease of exploitation (network attack vector, no user interaction, no privileges required). Although no known exploits are currently active in the wild, the public disclosure of the vulnerability increases the likelihood of exploitation attempts. The DWR-M921 is commonly used in remote wireless broadband scenarios, making this vulnerability particularly concerning for organizations relying on these devices for critical connectivity. The lack of an official patch at the time of disclosure necessitates immediate mitigation through network segmentation, access controls, and monitoring for suspicious activity targeting the USSD endpoint.

The impact of CVE-2026-2085 on European organizations can be significant, especially for those utilizing the D-Link DWR-M921 routers in their network infrastructure. Successful exploitation allows attackers to execute arbitrary commands remotely, potentially leading to full device compromise. This can result in unauthorized access to internal networks, interception or manipulation of sensitive data, disruption of network services, and use of compromised devices as footholds for further attacks. Telecommunications providers, enterprises with remote sites, and critical infrastructure operators using these routers are at heightened risk. The compromise of such devices could undermine network integrity and availability, impacting business continuity and data confidentiality. Furthermore, attackers could leverage compromised routers to launch attacks against other internal systems or external targets, amplifying the threat. Given the router’s role in providing network connectivity, exploitation could also disrupt communications, affecting operational capabilities across affected organizations.

1. Immediate action should focus on restricting network access to the USSD Configuration Endpoint (/boafrm/formUSSDSetup) by implementing firewall rules or access control lists (ACLs) that limit access to trusted management hosts only. 2. Monitor network traffic for unusual or unauthorized requests targeting the vulnerable endpoint, using intrusion detection/prevention systems (IDS/IPS) with updated signatures. 3. Disable remote management interfaces if not strictly necessary, or restrict them to secure VPN connections to reduce exposure. 4. Engage with D-Link support channels to obtain official firmware updates or patches addressing this vulnerability as soon as they become available. 5. If patching is delayed, consider deploying network segmentation to isolate vulnerable routers from critical internal networks. 6. Conduct thorough audits of affected devices to detect any signs of compromise or unauthorized command execution. 7. Educate network administrators on the risks of USSD endpoint exposure and ensure secure configuration practices are followed. 8. Implement strong authentication and logging on management interfaces to detect and prevent unauthorized access attempts.