CVE-2026-13545 Overview
CVE-2026-13545 is an operating system (OS) command injection vulnerability in the D-Link DCS-935L network camera running firmware version 1.10.01. The flaw resides in the sub_400E40 function inside setconf.cgi, which is part of the device's POST parameter handler. Attackers can manipulate the UID argument to inject shell commands that execute in the context of the web application. The attack is remotely exploitable across the network, and the exploit has been publicly disclosed. The weakness is tracked as [CWE-77] Improper Neutralization of Special Elements used in a Command.
Critical Impact
Remote attackers with low privileges can execute arbitrary operating system commands on affected DCS-935L cameras, leading to full device compromise, network pivoting, and surveillance data exposure.
Affected Products
- D-Link DCS-935L network camera (hardware)
- D-Link DCS-935L firmware version 1.10.01
- Deployments exposing the camera web interface (setconf.cgi) to untrusted networks
Discovery Timeline
- 2026-06-29 - CVE-2026-13545 published to the National Vulnerability Database (NVD)
- 2026-06-30 - Last updated in the NVD database
Technical Details for CVE-2026-13545
Vulnerability Analysis
The vulnerability is an OS command injection flaw in the DCS-935L camera firmware. The setconf.cgi endpoint accepts POST parameters used to reconfigure device settings. Inside the binary, the function sub_400E40 processes the UID parameter without properly neutralizing shell metacharacters. Because the parameter is concatenated into a command executed by the underlying operating system, attackers can append arbitrary commands using standard shell separators such as ;, |, or backticks. Successful exploitation yields command execution as the web server user, which on embedded D-Link devices typically runs with elevated privileges. Attackers can then read configuration data, extract credentials, alter camera behavior, or use the device as a foothold into the internal network.
Root Cause
The root cause is missing input sanitization in the sub_400E40 handler of setconf.cgi. Values supplied through the UID POST parameter are passed to a system-level command interpreter without validation or escaping. This design pattern falls squarely under [CWE-77], where user-controlled input becomes part of a command string constructed at runtime.
Attack Vector
Exploitation requires network reachability to the camera's HTTP interface and low-privilege access to submit a POST request to setconf.cgi. An attacker crafts a request in which the UID field carries a shell payload appended after a command separator. When sub_400E40 invokes the underlying system command, the injected payload runs on the device. Because DCS-935L cameras are commonly exposed to LANs and, through port forwarding, to the internet, mass exploitation is feasible once the technique is public.
Exploitation is described in prose only. See the referenced
[GitHub CVE Report for D-Link](https://github.com/Real-Simplicity/cve-database/tree/main/CVE_Report_DLink_DCS935L_Command_Injection)
and [VulDB CVE-2026-13545](https://vuldb.com/cve/CVE-2026-13545) for technical
details of the vulnerable POST parameter handling in setconf.cgi.
Detection Methods for CVE-2026-13545
Indicators of Compromise
- POST requests to /setconf.cgi containing shell metacharacters (;, |, &, backticks, $() inside the UID parameter
- Unexpected outbound connections from DCS-935L cameras to unknown hosts, especially over TCP/80, TCP/443, or high ports commonly used by reverse shells
- New or modified files in writable firmware locations such as /tmp or /var on the camera
- Camera processes spawning shell utilities (sh, busybox, wget, tftp, nc) that are not part of routine operation
Detection Strategies
- Deploy network intrusion detection signatures that inspect HTTP POST bodies targeting setconf.cgi for command separators in the UID field
- Baseline normal management traffic to camera endpoints and alert on POST volume spikes or requests from non-administrative source IPs
- Correlate camera authentication events with subsequent configuration changes to identify low-privileged accounts issuing suspicious setconf.cgi calls
Monitoring Recommendations
- Log all HTTP requests to embedded device management interfaces at the network perimeter and inspect payloads for injection patterns
- Monitor DNS queries and egress traffic originating from IoT VLANs where DCS-935L devices reside
- Track firmware version inventory to identify cameras still running the vulnerable 1.10.01 build
How to Mitigate CVE-2026-13545
Immediate Actions Required
- Remove DCS-935L cameras from direct internet exposure and place them behind a firewall or VPN
- Restrict access to setconf.cgi and the camera web interface to a dedicated management subnet
- Rotate all camera administrative credentials and disable unused accounts to limit the low-privilege prerequisite for exploitation
- Inspect affected devices for signs of prior compromise using the indicators listed above before returning them to service
Patch Information
At the time of publication, no vendor-supplied patch has been referenced in the enriched CVE data. Consult the D-Link Official Website for firmware updates and end-of-life notices for the DCS-935L platform. If the device has reached end of support, plan replacement with a currently supported model. Additional technical context is available in the GitHub CVE Report for D-Link and the VulDB CVE-2026-13545 entry.
Workarounds
- Block inbound WAN access to camera HTTP and HTTPS ports at the perimeter firewall
- Segment cameras onto an isolated IoT VLAN with egress filtering that permits only required destinations
- Disable UPnP and port forwarding rules that expose the camera management interface externally
- Where feasible, place a reverse proxy in front of the camera that strips or rejects POST parameters containing shell metacharacters
# Example iptables rules to restrict access to the camera management interface
# Replace 192.0.2.10 with the camera IP and 10.0.100.0/24 with the admin subnet
iptables -A FORWARD -s 10.0.100.0/24 -d 192.0.2.10 -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -s 10.0.100.0/24 -d 192.0.2.10 -p tcp --dport 443 -j ACCEPT
iptables -A FORWARD -d 192.0.2.10 -p tcp --dport 80 -j DROP
iptables -A FORWARD -d 192.0.2.10 -p tcp --dport 443 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

