CVE-2026-2959 is a stack-based buffer overflow vulnerability identified in the D-Link DWR-M960 router firmware version 1.01.07. The vulnerability resides in the function sub_44E0F8, specifically in the /boafrm/formNewSchedule file, where the 'url' parameter is improperly validated or sanitized. This improper handling allows an attacker to craft a malicious request that overflows the stack buffer, potentially overwriting return addresses or control data. Because the vulnerability is remotely exploitable without requiring authentication or user interaction, attackers can execute arbitrary code on the device with elevated privileges, leading to full compromise of the router. The CVSS 4.0 score of 8.7 reflects the high impact on confidentiality, integrity, and availability, combined with ease of exploitation (network vector, low attack complexity, no privileges or user interaction needed). The exploit code has been publicly released, increasing the likelihood of exploitation attempts. The vulnerability affects only firmware version 1.01.07, and no official patches have been linked yet. The DWR-M960 is a 5G NR router used in various enterprise and consumer environments, making this vulnerability a significant threat to network security.

The exploitation of CVE-2026-2959 can have severe consequences for organizations worldwide. Successful attacks can lead to full compromise of the affected router, allowing attackers to intercept, modify, or disrupt network traffic, potentially leading to data breaches, espionage, or denial of service. The attacker could also use the compromised device as a foothold to pivot into internal networks, escalating attacks against critical infrastructure or sensitive systems. Given the router’s role in providing 5G connectivity, disruption could impact business continuity and communications. The availability of a public exploit increases the risk of widespread attacks, including automated scanning and exploitation campaigns. Organizations relying on D-Link DWR-M960 devices without mitigation are at heightened risk of operational disruption and data loss.

Organizations should immediately inventory their network to identify any D-Link DWR-M960 devices running firmware version 1.01.07. Since no official patch links are currently available, interim mitigations include restricting remote access to the device management interface via firewall rules or network segmentation to limit exposure to untrusted networks. Disabling remote management features, if not required, can reduce attack surface. Monitoring network traffic for unusual requests targeting /boafrm/formNewSchedule or anomalous behavior on the router can help detect exploitation attempts. Organizations should engage with D-Link support for firmware updates or security advisories and apply patches as soon as they are released. Additionally, consider deploying intrusion detection/prevention systems (IDS/IPS) with signatures for this vulnerability once available. Regularly updating device firmware and maintaining an asset management program will help prevent similar vulnerabilities from being exploited in the future.