Login Sign Up

CVE-2025-10779

8.8 HIGH
Remote Code Execution Buffer Overflow

📋 TL;DR

This CVE describes a stack-based buffer overflow vulnerability in D-Link DCS-935L IP cameras through manipulation of the HNAP_AUTH/SOAPAction argument. Attackers can remotely execute arbitrary code, potentially taking full control of affected devices. Only unsupported D-Link DCS-935L cameras are affected.

💻 Affected Systems

Products:
  • D-Link DCS-935L
Versions: Up to version 1.13.01
Operating Systems: Embedded Linux
Default Config Vulnerable: ⚠️ Yes
Notes: This product is no longer supported by the vendor. All default configurations are vulnerable.

📦 What is this software?

Dcs 935l Firmware by Dlink

View all CVEs affecting Dcs 935l Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete device compromise, lateral movement to internal networks, persistent backdoor installation, and use in botnets or surveillance operations.

🟠

Likely Case

Remote code execution allowing attackers to disable cameras, exfiltrate video feeds, or use devices as network pivots for further attacks.

🟢

If Mitigated

Limited impact if devices are isolated in separate VLANs with strict network segmentation and egress filtering.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public exploit details exist in GitHub repositories. The vulnerability requires no authentication and has simple exploitation vectors.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: None

Vendor Advisory: None

Restart Required: No

Instructions:

No official patch exists as the product is end-of-life. Consider the workarounds and risk reduction steps below.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate DCS-935L cameras in a separate VLAN with strict firewall rules blocking all inbound traffic except from authorized management systems.

Disable HNAP1 Service

all

If possible, disable the HNAP1 service on affected cameras to prevent exploitation of this specific vulnerability vector.

🧯 If You Can't Patch

  • Immediately remove affected cameras from internet-facing networks
  • Replace end-of-life DCS-935L cameras with supported models

🔍 How to Verify

Check if Vulnerable:

Check device firmware version via web interface at http://[camera-ip]/ or using nmap scan for HNAP1 service on port 80.

Check Version:

curl -s http://[camera-ip]/HNAP1/ | grep -i version

Verify Fix Applied:

No fix available to verify. Verify workarounds by confirming cameras are not internet-accessible and HNAP1 service is disabled or blocked.

📡 Detection & Monitoring

Log Indicators:

  • Unusual HNAP1 SOAPAction requests
  • Multiple failed authentication attempts to HNAP1 endpoint
  • Abnormal process creation on camera

Network Indicators:

  • Exploit traffic patterns to /HNAP1/ endpoint
  • Unusual outbound connections from camera to external IPs
  • Buffer overflow attempts in HTTP headers

SIEM Query:

source="camera-logs" AND (uri_path="/HNAP1/" AND http_method="POST" AND (user_agent="exploit" OR contains(content, "SOAPAction")))

📊 Metadata

CVE ID: CVE-2025-10779
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-119
EPSS Score: 0.12% exploit probability (30.9th percentile)
Published: September 22, 2025
Last Updated: September 25, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-10779, you might also want to check these:

CVE-2024-23613 10.0

A critical buffer overflow vulnerability in Symantec Deployment Solution 7.9 allows remote, unauthen...

Same vulnerability type (CWE-119)
CVE-2024-23615 10.0

A critical buffer overflow vulnerability in Symantec Messaging Gateway allows remote unauthenticated...

Same vulnerability type (CWE-119)
CVE-2026-2776 10.0

This CVE describes a sandbox escape vulnerability in Firefox's Telemetry component due to incorrect ...

Same vulnerability type (CWE-119)