CVE 8.6 HIGH

D-Link DWR-M921 USSD Configuration Endpoint formUSSDSetup sub_419F20 command injection_CVE-2026-2085

February 7, 2026 invoker category_cve

8.6 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

Description

A security vulnerability has been detected in D-Link DWR-M921 1.1.50. Affected is the function sub_419F20 of the file /boafrm/formUSSDSetup of the component USSD Configuration Endpoint. The manipulation of the argument ussdValue leads to command injection. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used.

AI Analysis

Command injection vulnerability in the USSD Configuration Endpoint of D-Link DWR-M921 via the ussdValue argument

Basic Information

ID CVE-2026-2085

Source VulDB

Published Feb 7, 2026 at 12:02

Affected Product

Vendor D-Link

Product DWR-M921

Version 1.1.50

Affected Versions D-Link DWR-M921 1.1.50

CWE Classification

CWE-77 CWE-74

AI Assessment

AI Score 8.6 / 10

AI Severity High

Vendor D-Link

Product DWR-M921

Version 1.1.50

References

{
    "lastseen": "",
    "description": "A security vulnerability has been detected in D-Link DWR-M921 1.1.50. Affected is the function sub_419F20 of the file /boafrm/formUSSDSetup of the component USSD Configuration Endpoint. The manipulation of the argument ussdValue leads to command injection. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used.",
    "published": "2026-02-07T12:02:08.316Z",
    "modified": "2026-02-07T12:02:08.316Z",
    "type": "cve",
    "title": "D-Link DWR-M921 USSD Configuration Endpoint formUSSDSetup sub_419F20 command injection",
    "source": "VulDB",
    "references": "https://vuldb.com/?id.344652\nhttps://vuldb.com/?ctiid.344652\nhttps://vuldb.com/?submit.746400\nhttps://github.com/LX-66-LX/cve-new/issues/1\nhttps://github.com/LX-66-LX/cve-new/issues/1#issue-3851345029\nhttps://www.dlink.com/",
    "id": "CVE-2026-2085",
    "bulletinFamily": "",
    "cwe": [
        "CWE-77",
        "CWE-74"
    ],
    "cvelist": null,
    "sourceData": "D-Link DWR-M921 1.1.50",
    "sourceHref": "",
    "cvss": {
        "score": 8.6,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "DWR-M921",
    "version": "1.1.50",
    "vendor": "D-Link",
    "ai_description": "Command injection vulnerability in the USSD Configuration Endpoint of D-Link DWR-M921 via the ussdValue argument",
    "ai_severity": "High",
    "ai_vendor": "D-Link",
    "ai_product": "DWR-M921",
    "ai_version": "1.1.50",
    "ai_score": 8.6
}

💭 Join the Security Discussion ❌ Cancel Reply