Cyber Resilience

CVE-2026-2260

HighPublic PoCRCE

Published: 10 February 2026

Published
10 February 2026
Modified
12 February 2026
KEV Added
Patch
CVSS Score v4 7.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0010 26.7th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-2260 is a high-severity Command Injection (CWE-77) vulnerability in Dlink Dcs-931L Firmware. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 26.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SA-22 (Unsupported System Components) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-2260 is an OS command injection vulnerability (CWE-77, CWE-78) in D-Link DCS-931L cameras running firmware up to version 1.13.0. The flaw resides in an unspecified component of the /goform/setSysAdmin web endpoint, where manipulation of the AdminID argument enables arbitrary command execution on the underlying operating system. It carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) and was published on 2026-02-10.

The vulnerability can be exploited remotely by authenticated attackers possessing high privileges, such as administrative access to the device. Successful exploitation allows attackers to execute arbitrary operating system commands, potentially leading to full compromise of the camera, including high-impact confidentiality, integrity, and availability violations.

Advisories note that affected products are no longer supported by the maintainer, implying no official patches or firmware updates are available. A public proof-of-concept exploit is available on GitHub at https://github.com/cha0yang1/CVE/blob/main/DLinkRce.md, including a specific POC section, which could facilitate attacks on vulnerable devices.

This vulnerability has a publicly disclosed exploit, increasing the risk for exposed, end-of-life D-Link DCS-931L cameras still in use.

EU & UK References

Vulnerability details

A vulnerability was found in D-Link DCS-931L up to 1.13.0. This affects an unknown part of the file /goform/setSysAdmin. The manipulation of the argument AdminID results in os command injection. The attack can be executed remotely. The exploit has been…

more

made public and could be used. This vulnerability only affects products that are no longer supported by the maintainer.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

OS command injection in a web management endpoint directly enables remote exploitation of a public-facing application (T1190) to achieve arbitrary Unix shell command execution (T1059.004) with existing admin privileges.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-2227Same product: Dlink Dcs-931L
CVE-2026-4465Same vendor: Dlink
CVE-2026-2210Same vendor: Dlink
CVE-2026-8273Same vendor: Dlink
CVE-2026-2151Same vendor: Dlink
CVE-2026-8272Same vendor: Dlink
CVE-2026-2157Same vendor: Dlink
CVE-2026-2129Same vendor: Dlink
CVE-2026-2143Same vendor: Dlink
CVE-2026-2084Same vendor: Dlink

Affected Assets

dlink
dcs-931l firmware
1.0.0 — 1.13.00

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of all inputs to the /goform/setSysAdmin AdminID parameter, blocking the OS command injection vector at the point of entry.

prevent

Explicitly addresses continued use of the unsupported D-Link DCS-931L firmware (up to 1.13.0) that will never receive a vendor patch for this flaw.

prevent

Limits the number of accounts holding the high-privilege (PR:H) access required to reach the vulnerable setSysAdmin endpoint.

References