CVE-2026-2218
Published: 09 February 2026
Summary
CVE-2026-2218 is a medium-severity Injection (CWE-74) vulnerability in Dlink Dcs-933L Firmware. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 12.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).
Deeper analysis
CVE-2026-2218 is a command injection vulnerability affecting D-Link DCS-933L cameras running firmware versions up to 1.14.11. The flaw exists in an unknown function of the /setSystemAdmin file within the alphapd component, where manipulation of the AdminID argument enables command injection. Published on 2026-02-09, it carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) and is linked to CWEs-74 and CWE-77.
Remote attackers who possess low privileges can exploit this vulnerability over the network with low attack complexity and no user interaction. Exploitation allows partial impacts on confidentiality, integrity, and availability, potentially enabling arbitrary command execution on the affected device.
This vulnerability impacts only products no longer supported by the maintainer, with no patches available. Advisories, including references from VulDB and a GitHub repository, confirm that a proof-of-concept exploit has been publicly disclosed and may be utilized, heightening risks for internet-exposed instances.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-6904
Vulnerability details
A vulnerability was determined in D-Link DCS-933L up to 1.14.11. This affects an unknown function of the file /setSystemAdmin of the component alphapd. This manipulation of the argument AdminID causes command injection. Remote exploitation of the attack is possible. The…
more
exploit has been publicly disclosed and may be utilized. This vulnerability only affects products that are no longer supported by the maintainer.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection in exposed admin interface directly enables remote exploitation of public-facing app (T1190) and arbitrary Unix shell command execution (T1059.004) on the device.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly blocks command injection by validating the AdminID argument before it reaches the alphapd /setSystemAdmin handler.
Limits the low-privilege account's ability to execute injected commands on the unsupported camera firmware.
Restricts network access to the DCS-933L, reducing remote exploitation of the publicly disclosed command-injection flaw.