Description
A vulnerability was determined in D-Link DCS-933L up to 1.14.11. This affects an unknown function of the file /setSystemAdmin of the component alphapd. This manipulation of the argument AdminID causes command injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. This vulnerability only affects products that are no longer supported by the maintainer.
Published: 2026-02-09
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote Command Execution
Action: Immediate Patch
AI Analysis

Impact

The flaw exists in the alphapd component of D‑Link DCS‑933L, where the /setSystemAdmin endpoint accepts an AdminID parameter without proper validation. This omission allows an attacker to inject arbitrary shell commands, resulting in the execution of those commands on the device’s operating system. The vulnerability is a classic command injection, which is reflected in CWE‑74 for improper validation and CWE‑77 for command execution with untrusted input.

Affected Systems

Devices identified as D‑Link DCS‑933L with firmware versions up to and including 1.14.11 are affected. Firmware beyond 1.14.11 and other D‑Link hardware do not contain the vulnerable software path and are therefore not impacted.

Risk and Exploitability

The CVSS v3.1 score is 5.3, indicating a moderate severity. Because the EPSS score is less than 1%, exploitation has not yet become widespread, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Nevertheless, remote attackers who can reach the administrative interface of an unsupported DCS‑933L can potentially inject and run shell commands, compromising confidentiality, integrity, and availability of the device and any connected networks.

Generated by OpenCVE AI on April 18, 2026 at 13:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest firmware that removes the vulnerable /setSystemAdmin endpoint from the device.
  • If no firmware update is available, replace the D‑Link DCS‑933L with a supported model that does not expose this functionality.
  • Configure network or firewall rules to restrict access to the administrative interface so that only trusted hosts can reach the /setSystemAdmin endpoint.

Generated by OpenCVE AI on April 18, 2026 at 13:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 11 Feb 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Dlink
Dlink dcs-933l
Dlink dcs-933l Firmware
CPEs cpe:2.3:h:dlink:dcs-933l:-:*:*:*:*:*:*:*
cpe:2.3:o:dlink:dcs-933l_firmware:*:*:*:*:*:*:*:*
Vendors & Products Dlink
Dlink dcs-933l
Dlink dcs-933l Firmware

Tue, 10 Feb 2026 12:45:00 +0000

Type Values Removed Values Added
First Time appeared D-link
D-link dcs-933l
Vendors & Products D-link
D-link dcs-933l

Mon, 09 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Feb 2026 06:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was determined in D-Link DCS-933L up to 1.14.11. This affects an unknown function of the file /setSystemAdmin of the component alphapd. This manipulation of the argument AdminID causes command injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. This vulnerability only affects products that are no longer supported by the maintainer.
Title D-Link DCS-933L alphapd setSystemAdmin command injection
Weaknesses CWE-74
CWE-77
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

D-link Dcs-933l
Dlink Dcs-933l Dcs-933l Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-23T09:57:39.765Z

Reserved: 2026-02-08T14:48:00.369Z

Link: CVE-2026-2218

cve-icon Vulnrichment

Updated: 2026-02-09T16:11:21.031Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-09T06:16:25.013

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-2218

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T13:15:25Z

Weaknesses