CVE-2026-11497 - Vulnerability Details

- D-Link DCS-5615 Boa Webserver boa.conf least privilege violation

Description

A vulnerability has been found in D-Link DCS-5615 1.01.00. Affected by this vulnerability is an unknown functionality of the file /etc/conf.d/boa/boa.conf of the component Boa Webserver. Such manipulation leads to least privilege violation. The attack can be executed remotely. The exploit has been disclosed to the public and may be used.

Published: 2026-06-08

Score: 6.9 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability originates from an improper use of the /etc/conf.d/boa/boa.conf configuration file in the Boa Webserver component of the D-Link DCS-5615. By manipulating this file, an attacker can break the least privilege rule that should limit the webserver's permissions, thereby creating a privilege escalation path. The flaw allows the attacker to gain elevated privileges on the device and potentially alter or compromise system configuration settings or services running on the router.

Affected Systems

This issue affects D-Link DCS-5615 devices running firmware version 1.01.00. No other versions or additional D-Link products are listed as affected in the available data.

Risk and Exploitability

The vulnerability has a CVSS score of 6.9, indicating a moderate to high impact. The EPSS score is not available, but the vulnerability has been publicly disclosed and is usable by remote attackers, demonstrating that the flaw is actionable from any remote position that can reach the device. The exposure is not listed in the CISA KEV catalog, but the remote exploitability and the known exploitation potential warrant timely remediation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

D-Link

DCS-5615

affected

Version	Status	Constraints
`1.01.00`	affected	—

Configuration 1 [-]

AND

cpe:2.3:o:dlink:dcs-5615_firmware:1.01.00:*:*:*:*:*:*:*

cpe:2.3:h:dlink:dcs-5615:-:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

D-link

Dcs-5615

100%

Version	Status	Scheme	Platform
`1.01.00`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the router to the latest D-Link firmware that addresses the Boa Webserver configuration flaw
Reconfigure or disable the Boa Webserver so it runs with the minimum required privileges, or mount the filesystem containing boa.conf as read‑only if it must remain enabled
Restrict remote management access by implementing network segmentation or firewall rules that limit traffic to the device's administrative interfaces

Generated by OpenCVE AI on June 8, 2026 at 09:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.0005.

Exploitation poc

Automatable yes

Technical Impact partial

References

Link	Providers
https://vuldb.com/cve/CVE-2026-11497
https://vuldb.com/submit/834823
https://vuldb.com/vuln/369117
https://vuldb.com/vuln/369117/cti
https://www.dlink.com/
https://www.notion.so/D-link-DCS-5615_REV_1-01-00-3670ed14e5cb80e9be78f7d8dbf1e789?source=copy_link

History

Tue, 09 Jun 2026 16:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Dlink Dlink dcs-5615 Dlink dcs-5615 Firmware
CPEs		cpe:2.3:h:dlink:dcs-5615:-:::::::* cpe:2.3:o:dlink:dcs-5615_firmware:1.01.00:::::::*
Vendors & Products		Dlink Dlink dcs-5615 Dlink dcs-5615 Firmware
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 08 Jun 2026 08:30:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability has been found in D-Link DCS-5615 1.01.00. Affected by this vulnerability is an unknown functionality of the file /etc/conf.d/boa/boa.conf of the component Boa Webserver. Such manipulation leads to least privilege violation. The attack can be executed remotely. The exploit has been disclosed to the public and may be used.
Title		D-Link DCS-5615 Boa Webserver boa.conf least privilege violation
First Time appeared		D-link D-link dcs-5615
Weaknesses		CWE-266 CWE-272
CPEs		cpe:2.3:h:d-link:dcs-5615::::::::
Vendors & Products		D-link D-link dcs-5615
References		https://vuldb.com/cve/CVE-2026-11497 https://vuldb.com/submit/834823 https://vuldb.com/vuln/369117 https://vuldb.com/vuln/369117/cti https://www.dlink.com/ https://www.notion.so/D-link-DCS-5615_REV_1-01-00-3670ed14e5cb80e9be78f7d8dbf1e789?source=copy_link
Metrics		cvssV2_0 `{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 5.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

D-link Dcs-5615

Dlink Dcs-5615 Dcs-5615 Firmware

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-06-08T06:30:10.399Z

Updated: 2026-06-09T14:51:12.227Z

Reserved: 2026-06-07T13:18:25.746Z

Link: CVE-2026-11497

Vulnrichment

Updated: 2026-06-09T14:51:08.201Z

NVD

Status : Analyzed

Published: 2026-06-08T09:16:29.517

Modified: 2026-06-09T16:16:48.267

Link: CVE-2026-11497

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-09T08:57:32Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

Exploitation poc

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object