Impact
An OS command injection flaw exists in the setconf.cgi component of D-Link DCS‑935L firmware 1.10.01. The vulnerability is triggered by tampering with the POST parameter UID, causing the sub_400E40 function to execute arbitrary shell commands. Successful exploitation would allow an attacker to run any command on the device with the privileges of the web server process, effectively granting full control over the device. The weakness corresponds to CWE‑77 and CWE‑78, identifying it as an input‑validation and command‑execution flaw.
Affected Systems
The affected devices are D‑Link DCS‑935L routers running firmware version 1.10.01. No other versions or models are explicitly listed as affected in the current records.
Risk and Exploitability
The CVSS score of 8.7 classifies this flaw as a high‑severity vulnerability with a Remote Attack Vector. The EPSS score of 3% indicates a low but non‑zero exploitation probability, yet the vulnerability has already been publicly disclosed, indicating readiness for attack. It is not yet listed in the CISA KEV catalog, and the risk remains high due to remote exploitation and public disclosure, while patch availability is not confirmed.
OpenCVE Enrichment