CVE-2026-2857 is a stack-based buffer overflow vulnerability identified in the D-Link DWR-M960 router firmware version 1.01.07. The vulnerability resides in the Port Forwarding Configuration Endpoint, specifically in the function sub_423E00 located in the /boafrm/formPortFw file. The issue arises when the submit-url argument is manipulated by an attacker, causing a stack-based buffer overflow. This overflow can be exploited remotely without requiring authentication or user interaction, allowing attackers to execute arbitrary code on the affected device. The vulnerability has a CVSS 4.0 base score of 8.7, indicating high severity, with an attack vector of network (remote), low attack complexity, no privileges required, and no user interaction needed. The impact covers confidentiality, integrity, and availability, with high potential for system compromise. Although no exploits are currently observed in the wild, the public disclosure of exploit code increases the likelihood of future attacks. The vulnerability affects a widely used consumer and enterprise-grade router, which could be leveraged to gain unauthorized access to internal networks or disrupt network services. No official patches have been linked yet, emphasizing the need for proactive mitigation.

The vulnerability allows remote attackers to execute arbitrary code on affected D-Link DWR-M960 devices, potentially leading to full compromise of the router. This can result in unauthorized access to internal networks, interception or manipulation of network traffic, disruption of network availability, and deployment of persistent malware or botnets. Organizations relying on these routers for internet connectivity or network segmentation face risks including data breaches, service outages, and lateral movement by attackers. The lack of required authentication and user interaction significantly increases the attack surface and ease of exploitation. Given the critical role of routers in network infrastructure, exploitation could have cascading effects on organizational cybersecurity posture and operational continuity.

Organizations should immediately verify if they are using the D-Link DWR-M960 router with firmware version 1.01.07 and prioritize mitigation. Since no official patches are currently linked, recommended mitigations include: (1) Restricting remote access to the router’s management interface by disabling WAN-side administration or limiting access via firewall rules; (2) Monitoring network traffic for unusual activity targeting the port forwarding configuration endpoint; (3) Applying network segmentation to isolate vulnerable devices from critical infrastructure; (4) Employing intrusion detection/prevention systems (IDS/IPS) with signatures for buffer overflow attempts targeting D-Link routers; (5) Regularly checking for firmware updates from D-Link and applying them promptly once available; (6) Considering temporary replacement or upgrade of affected devices if patching is delayed; (7) Educating network administrators about the vulnerability and signs of exploitation to enable rapid incident response.