D-Link DCS-933L
0 remedies
cpe:2.3:h:d-link:dcs-933l:*:*:*:*:*:*:*, +3 more
0 remedies
- 1.14.0
- 1.14.1
- 1.14.2
- 1.14.3
- 1.14.4
- 1.14.5
- 1.14.6
- 1.14.7
- 1.14.8
- 1.14.9
- 1.14.10
- 1.14.11
D-Link DCS-933L Command Injection Vulnerability in alphapd Component
Vulnerability
A command injection vulnerability has been identified in the D-Link DCS-933L camera, affecting firmware versions prior to 1.14.11. The issue arises in the alphapd component, specifically within the setSystemAdmin function. The vulnerability allows remote attackers to execute arbitrary commands on the operating system by manipulating the AdminID parameter, which is improperly sanitized before being executed. This vulnerability is present in products that are no longer supported by the manufacturer.
Impact
Exploitation of this vulnerability allows for arbitrary command execution on the device's operating system. In the proof-of-concept demonstration, the telnetd service was started, allowing remote access to the device.
Reproduction
To reproduce this vulnerability, send a POST request to the /setSystemAdmin endpoint with a crafted AdminID parameter. The request must include a valid Digest authorization. Once the command injection is successful, the executed command's effect can be observed, such as starting a telnet server that can be accessed remotely.
Added: Feb 9, 2026, 6:37 AM
Updated: Feb 9, 2026, 12:10 PM
Vulnerability Rating
Custom Algorithm
spread
4.5impact
7.5exploitability
5.6remediation
0.0relevance
2.6threat
6.4urgency
2.9incentive
0.0Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.