Overview
On November 3, 2025, the AQUILA PRO AI M95 was reported to D-Link by TELECOM TECHNOLOGY CENTER in Taiwan as having an unauthenticated Remote Command Excution (RCE) vulnerabilities. D-Link Corporation immediately verified the reports and began mitigation, and the affected models are listed below.
D-Link has released fixes for these vulnerabilities, automatically updating the devices. Owners can use their D-Link Device Mobile applications to check and trigger updates manually.
3rd Party Report information
· Reports provided: TTC:: Link - Yiru Tsai - Associate Engineer- yiru _dot_ tsai _at_ ttc _dot_ org _dot_ tw
Exploit 1: Remote Code Execution (RCE) via Command Injection in Insecure Firmware Update Mechanism
- CWE-94 : "Improper Control of Generation of Code," commonly known as code injection. This vulnerability occurs when software executes untrusted input as code, potentially allowing attackers to manipulate or execute harmful commands.
- CWE-494: IThe product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code.
- Critical. The exploit allows the execution of arbitrary code on the device with Root privileges (uid=0, gid=0)
Affected Models
|
Model
|
Region
|
Hardware Revision
|
Fixed F/W
|
Recommendation
|
Last Updated
|
|
M95
|
Worldwide
|
v1.00.53 and below
|
v1.00B03
For immediate manual update. Please download, decompress, and use the devices Web interface to update to this firmware
|
January 2026 an Automatic Firmware update will be triggered and the AQUILA PRO AI mobile app will display there is an update available to be triggered by owner if automatic update has failed.
|
12/11/2025
|
Regarding the Security Update for Your D-Link Device
Installing firmware updates is critical in addressing security vulnerabilities in your D-Link devices. D-Link strongly urges all users to install the relevant updates and regularly check for further updates. After downloading the firmware update, it is essential to ALWAYS validate its success by comparing the firmware version on your product interface to the firmware update version.
Please note that beta software, beta firmware, or a hot-fix release is still undergoing rigorous testing before its official release. This ensures that the software is of the highest quality and meets our stringent standards. However, it is essential to understand that the user assumes all risk and liability for its use. D-Link does not provide express or implied warranties regarding the suitability or usability of the beta software, beta firmware, or hot-fix release. D-Link will not be liable for any direct, indirect, special, or consequential loss suffered by any party due to their use of the beta firmware, beta software, or hit-fix release.
NOTE: Our products have different hardware revisions, so please check your device’s hardware revision before downloading the corresponding firmware update. The hardware revision can be found on the product label next to the serial number or on the device's web interface.
**In the Event Automatic Forced Update Fails to new firmware
As this is a critical and required firmware update, if your D-Link Mobile Application does not report the fixed firmware version or newer, you can manually download the patched updates on 06/17/2024 and upload the firmware to the device's web GUI.
The link to firmware updates for products sold to US consumers can be found at https://support.dlink.com/; search for your model. If you require help with a manual update, this page also has links for Customer Care Help.