CVE-2026-2218
Analyzed Analyzed - Analysis Complete
Command Injection in D-Link DCS-933L alphapd Allows Remote Exploit

Publication date: 2026-02-09

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was determined in D-Link DCS-933L up to 1.14.11. This affects an unknown function of the file /setSystemAdmin of the component alphapd. This manipulation of the argument AdminID causes command injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. This vulnerability only affects products that are no longer supported by the maintainer.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-09
Last Modified
2026-04-29
Generated
2026-05-27
AI Q&A
2026-02-09
EPSS Evaluated
2026-05-25
NVD
CVE-2026-2218
EUVD
EUVD-2026-6904
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
dlink dcs-933l_firmware to 1.14.11 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-2218 is a command injection vulnerability found in the D-Link DCS-933L IP camera firmware versions up to 1.14.11. The flaw exists in the alphapd component, specifically in the /setSystemAdmin endpoint, where improper handling of the AdminID argument allows an attacker to inject arbitrary commands.

This happens because the device constructs commands using externally influenced input without properly neutralizing special characters, enabling command injection. The vulnerability can be exploited remotely without authentication.

The affected products are no longer supported by the vendor, and no known mitigations or countermeasures exist.


How can this vulnerability impact me? :

This vulnerability impacts the confidentiality, integrity, and availability of the affected device.

  • An attacker can remotely execute arbitrary operating system commands on the device.
  • This can lead to unauthorized control over the device, potentially allowing data theft, device manipulation, or denial of service.
  • Since the device is no longer supported, there are no known fixes, increasing the risk of exploitation.

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for suspicious requests targeting the /setSystemAdmin endpoint of the D-Link DCS-933L device, specifically those manipulating the AdminID parameter.'}, {'type': 'paragraph', 'content': 'Since the vulnerability involves command injection via the AdminID argument, detection can involve capturing and analyzing HTTP requests to identify unusual or malformed input that attempts to inject shell commands.'}, {'type': 'paragraph', 'content': 'A practical approach is to use network traffic inspection tools or web application firewalls to log and analyze requests to /setSystemAdmin.'}, {'type': 'list_item', 'content': 'Use curl or wget to test the endpoint with benign and suspicious AdminID values, for example: curl -v "http://<device-ip>/setSystemAdmin?AdminID=normal"'}, {'type': 'list_item', 'content': 'Attempt to detect command injection by sending payloads such as: curl -v "http://<device-ip>/setSystemAdmin?AdminID=normal;id" and observe if command output is returned or device behavior changes.'}, {'type': 'list_item', 'content': 'Use network monitoring tools like tcpdump or Wireshark to capture traffic and filter for requests to /setSystemAdmin.'}] [1, 3]


What immediate steps should I take to mitigate this vulnerability?

Since the affected D-Link DCS-933L devices are no longer supported by the vendor and no known mitigations or patches exist, the recommended immediate step is to replace the affected devices with alternative, supported products.

In the interim, network administrators should restrict access to the vulnerable device by isolating it from untrusted networks, applying firewall rules to block external access to the /setSystemAdmin endpoint, and monitoring for suspicious activity.

Disabling remote management features or restricting management access to trusted IP addresses can also reduce the risk of exploitation.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart