Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-13545

CVE-2026-13545: D-Link DCS-935L Firmware RCE Vulnerability

CVE-2026-13545 is a remote code execution flaw in D-Link DCS-935L firmware affecting the setconf.cgi POST parameter handler. Attackers can exploit this OS command injection remotely to execute arbitrary commands.

Published:

CVE-2026-13545 Overview

CVE-2026-13545 is an operating system (OS) command injection vulnerability in the D-Link DCS-935L network camera running firmware version 1.10.01. The flaw resides in the sub_400E40 function inside setconf.cgi, which is part of the device's POST parameter handler. Attackers can manipulate the UID argument to inject shell commands that execute in the context of the web application. The attack is remotely exploitable across the network, and the exploit has been publicly disclosed. The weakness is tracked as [CWE-77] Improper Neutralization of Special Elements used in a Command.

Critical Impact

Remote attackers with low privileges can execute arbitrary operating system commands on affected DCS-935L cameras, leading to full device compromise, network pivoting, and surveillance data exposure.

Affected Products

  • D-Link DCS-935L network camera (hardware)
  • D-Link DCS-935L firmware version 1.10.01
  • Deployments exposing the camera web interface (setconf.cgi) to untrusted networks

Discovery Timeline

  • 2026-06-29 - CVE-2026-13545 published to the National Vulnerability Database (NVD)
  • 2026-06-30 - Last updated in the NVD database

Technical Details for CVE-2026-13545

Vulnerability Analysis

The vulnerability is an OS command injection flaw in the DCS-935L camera firmware. The setconf.cgi endpoint accepts POST parameters used to reconfigure device settings. Inside the binary, the function sub_400E40 processes the UID parameter without properly neutralizing shell metacharacters. Because the parameter is concatenated into a command executed by the underlying operating system, attackers can append arbitrary commands using standard shell separators such as ;, |, or backticks. Successful exploitation yields command execution as the web server user, which on embedded D-Link devices typically runs with elevated privileges. Attackers can then read configuration data, extract credentials, alter camera behavior, or use the device as a foothold into the internal network.

Root Cause

The root cause is missing input sanitization in the sub_400E40 handler of setconf.cgi. Values supplied through the UID POST parameter are passed to a system-level command interpreter without validation or escaping. This design pattern falls squarely under [CWE-77], where user-controlled input becomes part of a command string constructed at runtime.

Attack Vector

Exploitation requires network reachability to the camera's HTTP interface and low-privilege access to submit a POST request to setconf.cgi. An attacker crafts a request in which the UID field carries a shell payload appended after a command separator. When sub_400E40 invokes the underlying system command, the injected payload runs on the device. Because DCS-935L cameras are commonly exposed to LANs and, through port forwarding, to the internet, mass exploitation is feasible once the technique is public.

Exploitation is described in prose only. See the referenced
[GitHub CVE Report for D-Link](https://github.com/Real-Simplicity/cve-database/tree/main/CVE_Report_DLink_DCS935L_Command_Injection)
and [VulDB CVE-2026-13545](https://vuldb.com/cve/CVE-2026-13545) for technical
details of the vulnerable POST parameter handling in setconf.cgi.

Detection Methods for CVE-2026-13545

Indicators of Compromise

  • POST requests to /setconf.cgi containing shell metacharacters (;, |, &, backticks, $() inside the UID parameter
  • Unexpected outbound connections from DCS-935L cameras to unknown hosts, especially over TCP/80, TCP/443, or high ports commonly used by reverse shells
  • New or modified files in writable firmware locations such as /tmp or /var on the camera
  • Camera processes spawning shell utilities (sh, busybox, wget, tftp, nc) that are not part of routine operation

Detection Strategies

  • Deploy network intrusion detection signatures that inspect HTTP POST bodies targeting setconf.cgi for command separators in the UID field
  • Baseline normal management traffic to camera endpoints and alert on POST volume spikes or requests from non-administrative source IPs
  • Correlate camera authentication events with subsequent configuration changes to identify low-privileged accounts issuing suspicious setconf.cgi calls

Monitoring Recommendations

  • Log all HTTP requests to embedded device management interfaces at the network perimeter and inspect payloads for injection patterns
  • Monitor DNS queries and egress traffic originating from IoT VLANs where DCS-935L devices reside
  • Track firmware version inventory to identify cameras still running the vulnerable 1.10.01 build

How to Mitigate CVE-2026-13545

Immediate Actions Required

  • Remove DCS-935L cameras from direct internet exposure and place them behind a firewall or VPN
  • Restrict access to setconf.cgi and the camera web interface to a dedicated management subnet
  • Rotate all camera administrative credentials and disable unused accounts to limit the low-privilege prerequisite for exploitation
  • Inspect affected devices for signs of prior compromise using the indicators listed above before returning them to service

Patch Information

At the time of publication, no vendor-supplied patch has been referenced in the enriched CVE data. Consult the D-Link Official Website for firmware updates and end-of-life notices for the DCS-935L platform. If the device has reached end of support, plan replacement with a currently supported model. Additional technical context is available in the GitHub CVE Report for D-Link and the VulDB CVE-2026-13545 entry.

Workarounds

  • Block inbound WAN access to camera HTTP and HTTPS ports at the perimeter firewall
  • Segment cameras onto an isolated IoT VLAN with egress filtering that permits only required destinations
  • Disable UPnP and port forwarding rules that expose the camera management interface externally
  • Where feasible, place a reverse proxy in front of the camera that strips or rejects POST parameters containing shell metacharacters
bash
# Example iptables rules to restrict access to the camera management interface
# Replace 192.0.2.10 with the camera IP and 10.0.100.0/24 with the admin subnet
iptables -A FORWARD -s 10.0.100.0/24 -d 192.0.2.10 -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -s 10.0.100.0/24 -d 192.0.2.10 -p tcp --dport 443 -j ACCEPT
iptables -A FORWARD -d 192.0.2.10 -p tcp --dport 80 -j DROP
iptables -A FORWARD -d 192.0.2.10 -p tcp --dport 443 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.