Skip to main content

D-Link DCS-935L CVE-2026-12174

HIGH
Use of Externally-Controlled Format String (CWE-134)
2026-06-13 VulDB
D-Link Information Disclosure Dcs 935L
7.4
CVSS 4.0 · Vendor: VulDB
Share

Severity by source

Vendor (VulDB) PRIMARY
7.4 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.8 HIGH

Network-reachable HTTP handler with low complexity; PR:L mirrors the vendor vector since web UI authentication is required, and a format-string primitive plausibly yields full C/I/A impact on the device.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulDB).

CVSS VectorVendor: VulDB

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

5
Analysis Updated
Jun 13, 2026 - 21:28 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 13, 2026 - 21:27 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 13, 2026 - 21:22 vuln.today
cvss_changed
CVSS changed
Jun 13, 2026 - 21:22 NVD
8.7 (HIGH) 7.4 (HIGH)
Analysis Generated
Jun 13, 2026 - 20:46 vuln.today

DescriptionCVE.org

A security vulnerability has been detected in D-Link DCS-935L 1.10.01. This issue affects the function snprintf of the file /web/cgi-bin/greece/rhea of the component HTTP Handler. Such manipulation of the argument data leads to format string. The attack may be launched remotely. The exploit has been disclosed publicly and may be used.

AnalysisAI

Format string vulnerability in the D-Link DCS-935L 1.10.01 IP camera allows authenticated remote attackers to corrupt memory and likely achieve information disclosure or code execution by manipulating the data argument passed to snprintf within the /web/cgi-bin/greece/rhea HTTP handler. Publicly available exploit code exists per VulDB submission, though this CVE is not on the CISA KEV list. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Discover exposed DCS-935L web UI
Delivery
Authenticate with default or weak credentials
Exploit
Send crafted request to /web/cgi-bin/greece/rhea
Install
Inject format specifiers into data parameter
C2
Leak memory and corrupt snprintf state
Execute
Execute code on camera firmware
Impact
Pivot to internal network or stream video
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Requires network reachability to the camera's web management interface (typically TCP/80 or TCP/443 on the LAN, or the internet if port-forwarded) and valid low-privilege web UI credentials per CVSS PR:L - exploitation is not possible against an unauthenticated attacker who cannot log in. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N) confirms network-reachable exploitation with low complexity and authenticated low-privilege access, with high VC/VI/VA impacts - consistent with a format-string primitive that can leak memory and potentially achieve code execution on an embedded device. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker on the same network as an exposed DCS-935L (or reaching it over the internet via port-forwarded admin UI) authenticates with default, reused, or low-privilege credentials and sends a crafted HTTP request to /web/cgi-bin/greece/rhea with format specifiers embedded in the data parameter. The snprintf call interprets the specifiers, leaking stack memory containing session tokens or pointers, and with a %n primitive can corrupt memory to hijack control flow and execute attacker-supplied code on the camera. …
Remediation No vendor-released patch identified at time of analysis; the DCS-935L is a legacy model and no D-Link advisory or fixed firmware version has been published in the supplied references. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Inventory all D-Link DCS-935L cameras; identify those running version 1.10.01 or earlier; document network segments where these cameras operate. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-12174 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy