CVE-2026-36983 - Vulnerability Details

- Command Injection via LightSensorControl in D-Link DCS-932L Firmware 2.18.01

Description

D-Link DCS-932L v2.18.01 is vulnerable to Command Injection in the function sub_42EF14 of the file /bin/alphapd. The manipulation of the argument LightSensorControl leads to command injection.

Published: 2026-05-11

Score: 7.3 High

EPSS: 5.8% Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability resides in the sub_42EF14 function of the /bin/alphapd binary in D‑Link DCS‑932L firmware 2.18.01. Manipulating the LightSensorControl argument can cause a command injection, allowing an attacker to execute arbitrary shell commands on the device. Based on the description, it is inferred that this injection could provide the attacker with full control over the device, potentially compromising confidentiality, integrity, and availability.

Affected Systems

D‑Link DCS‑932L devices running firmware version 2.18.01 are affected. No other firmware versions or variants are explicitly listed.

Risk and Exploitability

The CVSS score is 7.3, indicating high severity. The EPSS score of 6% indicates a low to moderate likelihood of exploitation. The vulnerability is not listed in CISA KEV. The flaw can be triggered by sending a crafted request that manipulates the LightSensorControl argument. Based on the description, it is inferred that the attack vector is remote, as the parameter can be altered over the network, and that no local privilege escalation is required to exploit the flaw.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

affected

Version	Status	Constraints
`n/a`	affected	—

Configuration 1 [-]

AND

cpe:2.3:o:dlink:dcs-932l_firmware:2.18.01:*:*:*:*:*:*:*

cpe:2.3:h:dlink:dcs-932l:-:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Dlink

Dcs-932l

80%

Version	Status	Scheme	Platform
`2.18.01`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the device firmware to the latest version released by D‑Link, as specified in the official security bulletin.
As a temporary measure, block or limit external access to the device or filter requests containing the LightSensorControl parameter through a firewall or proxy.
Monitor the device for unusual activity and isolate it from untrusted networks if a patch is not yet available.

Generated by OpenCVE AI on May 17, 2026 at 14:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.05775.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/fru1ts/IoT_vul/blob/main/D-Link/DCS-932L.md
https://www.dlink.com/en/security-bulletin/

History

Sun, 17 May 2026 15:00:00 +0000

Type	Values Removed	Values Added
Title		Command Injection via LightSensorControl in D-Link DCS-932L Firmware 2.18.01

Wed, 13 May 2026 18:30:00 +0000

Type	Values Removed	Values Added
Title	Command Injection via LightSensorControl in D-Link DCS-932L firmware

Tue, 12 May 2026 21:30:00 +0000

Type	Values Removed	Values Added
Title		Command Injection via LightSensorControl in D-Link DCS-932L firmware

Tue, 12 May 2026 19:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Dlink dcs-932l Firmware
CPEs		cpe:2.3:h:dlink:dcs-932l:-:::::::* cpe:2.3:o:dlink:dcs-932l_firmware:2.18.01:::::::*
Vendors & Products		Dlink dcs-932l Firmware

Tue, 12 May 2026 18:00:00 +0000

Type	Values Removed	Values Added
Title	Command Injection via LightSensorControl in D-Link DCS-932L v2.18.01
Weaknesses	CWE-78

Tue, 12 May 2026 15:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-77
Metrics		cvssV3_1 `{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 11 May 2026 19:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Dlink Dlink dcs-932l
Vendors & Products		Dlink Dlink dcs-932l

Mon, 11 May 2026 18:45:00 +0000

Type	Values Removed	Values Added
Title		Command Injection via LightSensorControl in D-Link DCS-932L v2.18.01
Weaknesses		CWE-78

Mon, 11 May 2026 17:30:00 +0000

Type	Values Removed	Values Added
Description		D-Link DCS-932L v2.18.01 is vulnerable to Command Injection in the function sub_42EF14 of the file /bin/alphapd. The manipulation of the argument LightSensorControl leads to command injection.
References		https://github.com/fru1ts/IoT_vul/blob/main/D-Link/DCS-932L.md https://www.dlink.com/en/security-bulletin/

Subscriptions

Dlink Dcs-932l Dcs-932l Firmware

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-05-11T00:00:00.000Z

Updated: 2026-05-12T14:34:05.858Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-36983

Vulnrichment

Updated: 2026-05-12T14:32:17.726Z

NVD

Status : Analyzed

Published: 2026-05-11T18:16:32.610

Modified: 2026-05-12T19:36:42.187

Link: CVE-2026-36983

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-17T14:45:03Z

Weaknesses

CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object