CVE-2026-36983
Received Received - Intake
Command Injection in D-Link DCS-932L v2.18.01

Publication date: 2026-05-11

Last updated on: 2026-05-11

Assigner: MITRE

Description
D-Link DCS-932L v2.18.01 is vulnerable to Command Injection in the function sub_42EF14 of the file /bin/alphapd. The manipulation of the argument LightSensorControl leads to command injection.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-11
Last Modified
2026-05-11
Generated
2026-06-21
AI Q&A
2026-05-11
EPSS Evaluated
2026-06-19
NVD
CVE-2026-36983
EUVD
EUVD-2026-29113
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
d-link dcs-932l 2.18.01
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The CVE-2026-36983 vulnerability affects the D-Link DCS-932L network surveillance camera, specifically firmware version V2.18.01. It is a command injection flaw found in the alphapd binary's sub_42EF14 function. The vulnerability occurs because the LightSensorControl parameter is improperly handled and directly incorporated into a system command without proper sanitization.

A remote attacker with authorized access can exploit this vulnerability by sending specially crafted requests to the vulnerable endpoint /setDayNightStream, allowing them to execute arbitrary commands on the device.

Impact Analysis

This vulnerability can allow a remote attacker with authorized access to execute arbitrary commands on the affected D-Link DCS-932L device. This could lead to unauthorized control over the device, potentially compromising its functionality, accessing sensitive data, or using the device as a foothold to attack other systems on the network.

Detection Guidance

This vulnerability can be detected by monitoring network traffic for requests to the vulnerable endpoint /setDayNightStream that include the LightSensorControl parameter. Specifically, look for suspicious or specially crafted inputs that could lead to command injection.

Since the vulnerability involves command injection via the LightSensorControl parameter, you can use network capture tools like tcpdump or Wireshark to filter HTTP requests to the device and inspect the parameters.

  • Use tcpdump to capture traffic to the device: tcpdump -i <interface> host <device_ip> and filter for HTTP POST requests.
  • Use curl or similar tools to test the endpoint manually by sending crafted requests to /setDayNightStream with various LightSensorControl values to see if command injection is possible.
Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable device, especially limiting access to trusted users only, since exploitation requires authorized access.

Avoid sending or allowing untrusted input to the /setDayNightStream endpoint, particularly the LightSensorControl parameter.

If possible, update the device firmware to a version that patches this vulnerability or contact the vendor for a security update.

As a temporary measure, consider network segmentation or firewall rules to block access to the vulnerable endpoint.

Compliance Impact

The CVE-2026-36983 vulnerability allows remote attackers with authorized access to execute arbitrary commands on the affected D-Link DCS-932L device due to improper input sanitization. This command injection flaw could potentially lead to unauthorized access or control over the device, which may result in exposure or compromise of sensitive data.

Such a vulnerability can impact compliance with common standards and regulations like GDPR and HIPAA, which require the protection of personal and sensitive information. If exploited, it could lead to data breaches or unauthorized data processing, thereby violating these regulations' requirements for data security and privacy.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-36983. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart