CVE-2026-36983
Published: 11 May 2026
Summary
CVE-2026-36983 is a high-severity Command Injection (CWE-77) vulnerability in Dlink Dcs-932L Firmware. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 9.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
D-Link DCS-932L version 2.18.01 contains a command injection vulnerability in the /bin/alphapd binary, specifically within function sub_42EF14. The flaw arises from improper handling of the LightSensorControl argument and is tracked under CWE-77, with a CVSS 3.1 score of 7.3 reflecting network-accessible exploitation without authentication or user interaction.
An unauthenticated remote attacker can supply crafted input to the LightSensorControl parameter and execute arbitrary operating-system commands on the device. Successful exploitation grants limited read, write, and disruption capabilities on the affected camera, consistent with the reported impact metrics.
The listed references include a D-Link security bulletin page and a public GitHub repository documenting the issue; administrators should consult the vendor bulletin for any official firmware updates or configuration guidance. The associated EPSS score has remained flat at 0.0571 with no material increase since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-29113
Vulnerability details
D-Link DCS-932L v2.18.01 is vulnerable to Command Injection in the function sub_42EF14 of the file /bin/alphapd. The manipulation of the argument LightSensorControl leads to command injection.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection (CWE-77) in exposed camera web/firmware interface directly enables remote code execution via Unix shell.
CVEs Like This One
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.