A critical vulnerability in D-Link’s DWR-M960 4G/5G router, assigned CVE-2026-2881, that could allow remote attackers to crash devices or execute arbitrary code via a stack-based buffer overflow.
Publicly disclosed on February 21, 2026, the flaw carries a CVSS v3.1 base score of 8.8 (High) due to improper handling of the “submit-url” argument in the Advanced Firewall Configuration endpoint.
The vulnerability resides in the sub_425FF8 function within /boafrm/formFirewallAdv, a Boa web server endpoint for managing advanced firewall rules on the DWR-M960 running firmware version 1.01.07.
Attackers with low-privilege access, such as a valid user account, can remotely trigger the overflow by submitting a specially crafted “submit-url” payload.
This leads to stack corruption, potentially enabling full control over the device (C:H/I:H/A: H). The attack vector is network-accessible (AV:N/AC:L/PR:L/UI:N/S:U), making it exploitable without user interaction once initial access is obtained.
| Field | Details |
|---|---|
| CVE ID | CVE-2026-2881 |
| Severity | High (CVSS v3.1: 8.8) |
| Vendor | D-Link |
| Product | DWR-M960 |
| Affected Version | 1.01.07 |
| CWE | CWE-121 (Stack-based Buffer Overflow) |
| Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R |
Vulnerability Identified in D-Link DWR-M960
At its core, CVE-2026-2881 exploits CWE-121: Stack-based Buffer Overflow. The formFirewallAdv handler fails to bounds-check the submit-url parameter, allowing oversized input to overflow a fixed-size stack buffer.
In embedded systems like the DWR-M960 a popular choice for SMBs, remote offices, and mobile deployments this can overwrite return addresses, hijack control flow, or dump sensitive memory.
CVSS breakdown:
- Attack Vector (Network): Remotely triggerable over HTTP/HTTPS.
- Attack Complexity (Low): No advanced skills needed beyond crafting a malicious POST request.
- Privileges Required (Low): Authenticated access suffices, often via default creds or phishing.
- Impact: High confidentiality (e.g., leak firewall rules, credentials), integrity (alter rules), and availability (DoS via crashes).
Disassembled snippets from the PoC reveal the overflow in action: a long submit-url string exceeds the buffer at offset 0x425FF8, smashing the stack frame.
Why It Matters and Attack Paths
This flaw matters because DWR-M960 routers often sit at network edges, handling VPNs, firewalls, and internet gateways. Compromise grants pivot points for lateral movement, data exfiltration, or botnet recruitment. Most likely path: Attacker phishes admin creds, then POSTs to /boafrm/formFirewallAdv with overflow payload.
Most Exposed: SMBs, teleworkers, and ISPs using default firmware. Devices exposed to the internet via UPnP or misconfigured ports amplify risks.
Detection Strategies
Spot it early with these indicators:
- Sudden reboots or crash dumps tied to
formFirewallAdv. - Memory spikes or segfaults in Boa processes.
- Logs flagging malformed
submit-urlor external POSTs to the endpoint. - IDS/IPS hits on PoC signatures; monitor for GitHub-linked traffic.
Mitigation Roadmap
Prioritize these steps:
- Patch Immediately: Watch D-Link for firmware updates beyond 1.01.07.
- Restrict Access: Disable remote admin; mandate VPN for config changes.
- Segment Networks: Isolate routers; block WAN access to
/boafrm/*. - Monitor Actively: Enable logging, anomaly detection for stack faults draft incident playbooks.
- EPSS/KEV Check: If EPSS ≥0.5% or KEV-listed, escalate to P1.
D-Link users should audit exposures now. This joins a string of router vulnerabilities underscoring the urgency of firmware updates in IoT edges.
Site: cybersecuritypath.com
Reference: Source
%20(1).webp "Technitium: Self-Hosted DNS Server for Enhanced Privacy and Security")
.webp "Cal.com’s Access Control Mess: How It Let Attackers Hijack Accounts and Dump Millions of Bookings")
