Cyber Resilience

CVE-2026-2218

MediumPublic PoC

Published: 09 February 2026

Published
09 February 2026
Modified
11 February 2026
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0345 87.5th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-2218 is a medium-severity Injection (CWE-74) vulnerability in Dlink Dcs-933L Firmware. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 12.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).

Deeper analysis

CVE-2026-2218 is a command injection vulnerability affecting D-Link DCS-933L cameras running firmware versions up to 1.14.11. The flaw exists in an unknown function of the /setSystemAdmin file within the alphapd component, where manipulation of the AdminID argument enables command injection. Published on 2026-02-09, it carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) and is linked to CWEs-74 and CWE-77.

Remote attackers who possess low privileges can exploit this vulnerability over the network with low attack complexity and no user interaction. Exploitation allows partial impacts on confidentiality, integrity, and availability, potentially enabling arbitrary command execution on the affected device.

This vulnerability impacts only products no longer supported by the maintainer, with no patches available. Advisories, including references from VulDB and a GitHub repository, confirm that a proof-of-concept exploit has been publicly disclosed and may be utilized, heightening risks for internet-exposed instances.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A vulnerability was determined in D-Link DCS-933L up to 1.14.11. This affects an unknown function of the file /setSystemAdmin of the component alphapd. This manipulation of the argument AdminID causes command injection. Remote exploitation of the attack is possible. The…

more

exploit has been publicly disclosed and may be utilized. This vulnerability only affects products that are no longer supported by the maintainer.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Command injection in exposed admin interface directly enables remote exploitation of public-facing app (T1190) and arbitrary Unix shell command execution (T1059.004) on the device.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-1624Same vendor: Dlink
CVE-2026-4204Same vendor: Dlink
CVE-2026-8345Same vendor: Dlink
CVE-2026-4197Same vendor: Dlink
CVE-2026-2085Same vendor: Dlink
CVE-2026-4195Same vendor: Dlink
CVE-2026-1419Same vendor: Dlink
CVE-2026-4206Same vendor: Dlink
CVE-2025-1800Same vendor: Dlink
CVE-2026-2227Same vendor: Dlink

Affected Assets

dlink
dcs-933l firmware
≤ 1.14.11

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly blocks command injection by validating the AdminID argument before it reaches the alphapd /setSystemAdmin handler.

prevent

Limits the low-privilege account's ability to execute injected commands on the unsupported camera firmware.

prevent

Restricts network access to the DCS-933L, reducing remote exploitation of the publicly disclosed command-injection flaw.

References