Command Injection in D-Link DCS-935L Network Camera

Compliance Impact

This vulnerability allows remote attackers to execute arbitrary commands as root on the affected device, potentially leading to unauthorized access, data modification, and exposure of sensitive information.

Such unauthorized access and control over the device could result in violations of data protection regulations like GDPR and HIPAA, which require strict controls over personal and sensitive data to ensure confidentiality, integrity, and availability.

Exploitation of this vulnerability could lead to breaches involving personal data or health information, thereby impacting compliance with these standards.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-13545 is an OS command injection vulnerability found in the D-Link DCS-935L HD Wi-Fi Camera, specifically in the setconf.cgi CGI binary. The flaw occurs because the UID parameter in HTTP POST requests is copied into a stack buffer without proper bounds checking and then directly embedded into a shell command that is executed. There is no sanitization or escaping of this user input, allowing an attacker to inject arbitrary commands.

The vulnerability can be exploited remotely, requiring network access with authentication, but there is a localhost authentication bypass that allows unauthenticated local attacks. The camera's default credentials (admin with an empty password) make exploitation easier. An attacker can execute commands as root, potentially gaining full control over the device.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an attacker to execute arbitrary commands on the affected device with root privileges. This can lead to unauthorized access or modification of files, viewing live video feeds, changing device configurations, or using the compromised device to attack other devices on the network.

Because the exploit can be launched remotely and the device ships with default weak credentials, the risk of compromise is significant. An attacker could take full control of the camera and potentially pivot to other network resources, leading to broader network compromise.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by testing the setconf.cgi endpoint of the D-Link DCS-935L camera for command injection via the UID parameter in HTTP POST requests.

A proof-of-concept detection command uses curl to send a crafted POST request that attempts to execute system commands like 'id'. For example:

• curl -X POST -d "UID=;id;" http://<camera-ip>/setconf.cgi

If the response contains output from the injected command (e.g., user id information), the device is vulnerable.

Note that the attack requires network access with authentication, except when accessed from localhost (127.0.0.1), which bypasses authentication.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include:

• Change default credentials, especially the admin account with an empty password, to strong, unique passwords.
• Restrict network access to the device, limiting it to trusted networks or IP addresses.
• Disable or restrict access to the setconf.cgi endpoint if possible.
• Avoid accessing the device from localhost or untrusted sources that bypass authentication.

Long-term remediation involves applying patches that validate and sanitize the UID parameter, replace unsafe functions, enforce length limits, and remove localhost authentication bypass.

Useful 0 Not Useful 0