D-Link DWR-M961 Command Injection Vulnerability 1. Overview Vendor: D-Link Product: DWR-M961 Version: Hardware Version A2, Firmware Version V1.1.47 Vulnerability Type: Command Injection Affected Component: endpoint 2. Vulnerability Description The D-Link DWR-M961 4G LTE router has a command injection vulnerability in the binary. The vulnerability is located in the function , which handles requests for the endpoint. It retrieves the parameter and fails to properly sanitize it before passing it to to construct and execute a shell command via the function. This allows an authenticated attacker to execute arbitrary system commands with root privileges. 3. Technical Analysis Vulnerable Function: Vulnerable Parameter: Logic Flow: 1. Retrieves the value. 2. Checks for protocol headers (http/https/ftp). 3. If condition is met, formats input into a command string using . 4. Executes the resulting string via without sanitizing shell metacharacters. 4. Firmware Emulation The firmware was emulated using tools like FirmAE/FAT. The web interface is accessible and the vulnerability can be triggered in the simulated environment. 5. Proof of Concept (PoC) Provided Python script authenticates with the router and sends a malicious payload to exploit the vulnerability for command injection. Execution of the command is demonstrated via a terminal screenshot.