CVE-2025-15191

A weakness has been identified in D-Link DWR-M920 up to 1.1.50. The affected element is the function sub_4155B4 of the file /boafrm/formLtefotaUpgradeFibocom. This manipulation of the argument fota_url causes command injection. Remote exploitation of the attack is possible. The exploit has been made...

medium 6.3 CVSS 3.1

Published: Dec 29, 2025

Modified: Dec 30, 2025

Vendor: Dlink

Description

A weakness has been identified in D-Link DWR-M920 up to 1.1.50. The affected element is the function sub_4155B4 of the file /boafrm/formLtefotaUpgradeFibocom. This manipulation of the argument fota_url causes command injection. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be exploited.

References

https://github.com/panda666-888/vuls/blob/main/d-link/dwr-m920/formLtefotaUpgradeFibocom.md
https://github.com/panda666-888/vuls/blob/main/d-link/dwr-m920/formLtefotaUpgradeFibocom.md#poc
https://vuldb.com/?ctiid.338576
https://vuldb.com/?id.338576
https://vuldb.com/?submit.723554
https://www.dlink.com/

Related CVEs

CVSS Breakdown

Version	3.1
Score	6.3 / 10
Severity	medium

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Weakness (CWE)

CWE-74

Affected Product

Vendor	Dlink
Product	Dwr-M920 Firmware