CVE-2026-2260 – This CVE describes a remote command injection v... (How to Fix)

Q: What is the severity of CVE-2026-2260?

CVE-2026-2260 has a CVSS score of 7.2 (HIGH). This CVE describes a remote command injection vulnerability in D-Link DCS-931L IP cameras. Attackers can execute arbitrary operating system commands by manipulating the AdminID parameter in the /goform/setSysAdmin endpoint. This affects all DCS-931L cameras running firmware version 1.13.0 or earlier, which are no longer supported by the vendor.

📋 TL;DR

This CVE describes a remote command injection vulnerability in D-Link DCS-931L IP cameras. Attackers can execute arbitrary operating system commands by manipulating the AdminID parameter in the /goform/setSysAdmin endpoint. This affects all DCS-931L cameras running firmware version 1.13.0 or earlier, which are no longer supported by the vendor.

💻 Affected Systems

Products:

D-Link DCS-931L

Versions: Up to and including version 1.13.0

Operating Systems: Embedded Linux firmware

Default Config Vulnerable: ⚠️ Yes

Notes: All configurations are vulnerable. The device is end-of-life with no vendor support.

📦 What is this software?

Dcs 931l Firmware by Dlink

View all CVEs affecting Dcs 931l Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full device compromise allowing attackers to install persistent malware, pivot to internal networks, disable the camera, or use the device for botnet activities.

🟠

Likely Case

Unauthorized access to camera feeds, device configuration changes, or using the device as a foothold for further network attacks.

🟢

If Mitigated

Limited impact if device is isolated in a restricted network segment with proper firewall rules and monitoring.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable and public exploit code exists for unpatched devices exposed to the internet.

🏢 Internal Only: MEDIUM - While still vulnerable, internal-only devices have reduced attack surface but remain at risk from compromised internal hosts.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public proof-of-concept exploit code is available on GitHub, making exploitation trivial for attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: None available

Vendor Advisory: None - product is end-of-life

Restart Required: No

Instructions:

No official patch exists. The vendor has discontinued support for this product. Immediate replacement is recommended.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate DCS-931L cameras in a separate VLAN with strict firewall rules blocking all inbound traffic except necessary management ports from trusted sources.

Web Interface Disable

all

Disable the web administration interface if not required, or restrict access to specific management IP addresses only.

🧯 If You Can't Patch

Immediately remove affected devices from internet-facing deployments
Implement strict network access controls allowing only outbound traffic to required services

🔍 How to Verify

Check if Vulnerable:

Check firmware version via web interface at http://[camera-ip]/system.html or via SSH if enabled. Version 1.13.0 or earlier indicates vulnerability.

Check Version:

curl -s http://[camera-ip]/system.html | grep -i firmware

Verify Fix Applied:

No fix available to verify. Only complete device replacement with a supported model can resolve this vulnerability.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to /goform/setSysAdmin with shell metacharacters in parameters
Failed authentication attempts followed by successful command execution

Network Indicators:

Unusual outbound connections from camera to external IPs
Traffic patterns indicating command-and-control communication

SIEM Query:

source="camera-logs" AND (url="/goform/setSysAdmin" AND (param="AdminID" AND value MATCHES "[;&|`$()]"))

📊 Metadata

CVE ID: CVE-2026-2260

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-77

EPSS Score: 0.19% exploit probability (41.1th percentile)

Published: February 10, 2026

Last Updated: February 12, 2026

🔗 References

https://github.com/cha0yang1/CVE/blob/main/DLinkRce.md Exploit,Third Party Advisory
https://github.com/cha0yang1/CVE/blob/main/DLinkRce.md#poc Exploit,Third Party Advisory
https://vuldb.com/?ctiid.345007 Permissions Required,VDB Entry
https://vuldb.com/?id.345007 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.753398 Third Party Advisory,VDB Entry
https://www.dlink.com/ Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-2260, you might also want to check these: