A vulnerability categorized as critical has been discovered in D-Link DWR-M920 up to 1.1.50 . The affected element is the function sub_41CF20 of the file /boafrm/formUSSDSetup . The manipulation of the argument ussdValue results in command injection. This vulnerability is known as CVE-2026-11339 . It is possible to launch the attack remotely. Furthermore, an exploit is available.