CVE-2026-2883, a high-severity vulnerability in D-Link’s DWR-M960 4G/5G router running firmware version 1.01.07. Rated 8.8/10 on the CVSS v3.1 scale (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A: H), this flaw exposes devices to remote code execution via a stack-based buffer overflow, with public exploit details now circulating.
The issue resides in the sub_427D74 function within the /boafrm/formIpQoS endpoint, part of the router’s Quality of Service (quality of service) management interface. By manipulating the submit-url argument, attackers can overflow the stack, corrupting memory and potentially executing arbitrary code.
No known exploits in the wild yet, but the proof-of-concept (PoC) shared on GitHub (issue #17 in LX-66-LX/cve-new), and the VulDB entries (ID 347177) heighten the risk. Vectors confirm network accessibility (AV: N), low attack complexity, minimal privileges required (PR:L), and no user interaction required.
This stems from CWE-121: Stack-based Buffer Overflow, a classic memory corruption bug where input validation fails, allowing oversized data to overwrite adjacent stack memory.
| ID | Score | CWE | Vector | Product |
|---|---|---|---|---|
| CVE-2026-2883 | 8.8 | CWE-121 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | DWR-M960 |
Successful exploitation grants attackers full device control, hijacking traffic routing and quality-of-service policies, and potentially pivoting to connected networks. In home, SMB, or service provider setups, this could enable man-in-the-middle attacks, data interception, or malware persistence.
Attack Landscape and Exposure
Devices with exposed WAN interfaces or lax remote management are at the top of the risk list. Home users and small offices often leave admin pages reachable online, amplifying threats. The AI risk verdict flags “high risk with potential active exploitation” post-disclosure on February 21, 2026.
While scope is unchanged (S: U), impacts span confidentiality, integrity, and availability (C:H/I:H/A: H), with proof-of-concept availability (E:P) signaling rapid weaponization.
Most likely path: Crafted HTTP requests to the Quality of Service form from any network vantage, triggering overflow. Partial vendor response noted (RC: R), but no patch confirmed yet. Check D-Link’s site (dlink.com) for updates.
Detection and Indicators
Spotting attempts gets tricky sans logs, but watch for:
- Device crashes or kernel panics post-QoS requests.
- Anomalous WAN traffic with oversized
submit-urlpayloads. - IDS/IPS hits on buffer overflow signatures or CTI IOCs from VulDB.
- Erratic quality of servicechanges, traffic spikes, or elevated CPU/memory from the router.
- Repeated admin logins or reboots.
Tools like Wireshark or router syslog can flag these; integrate with SIEM for alerts.
Mitigation Strategies
Prioritize urgently:
- Patch Immediately: Upgrade to the latest firmware via D-Link support test in staging if critical.
- Harden Access: Disable remote management; bind admin to LAN/VPN with IP allowlists and MFA.
- Secure Configs: Enforce strong passwords, TLS-only interfaces, and segment routers from internals.
- Monitor Proactively: Hunt for IOCs; baseline service traffic norms.
- Fallbacks: If unpatchable, air-gap or replace exposed units.
Site: cybersecuritypath.com
Reference Source
%20(1).webp "Technitium: Self-Hosted DNS Server for Enhanced Privacy and Security")
.webp "Cal.com’s Access Control Mess: How It Let Attackers Hijack Accounts and Dump Millions of Bookings")
