CVE-2026-36983 - Vulnerability Details

- Command Injection via LightSensorControl in D-Link DCS-932L firmware

Description

D-Link DCS-932L v2.18.01 is vulnerable to Command Injection in the function sub_42EF14 of the file /bin/alphapd. The manipulation of the argument LightSensorControl leads to command injection.

Published: 2026-05-11

Score: 7.3 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The flaw resides in the sub_42EF14 function of the /bin/alphapd binary in D‑Link DCS‑932L firmware 2.18.01 and is triggered by manipulating the LightSensorControl argument. By sending a crafted value, an attacker can inject and execute shell commands on the device. This gives the attacker full control, compromising confidentiality, integrity, and availability of the device and potentially the network segment it sits on. The vulnerability is a classic example of CWE‑77: Command Injection, which typically does not require local compromise and is particularly dangerous when exposed to the internet.

Affected Systems

D‑Link DCS‑932L devices running firmware version 2.18.01 are affected. No other versions or firmware variants are listed.

Risk and Exploitability

A CVSS score of 7.3 is provided and the EPSS score of < 1% indicates a very low, but nonzero, probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. However, the direct remote nature of the flaw means that any device within network reach can be attacked by sending a specially crafted LightSensorControl request. The lack of disclosure of mitigation measures in public sources suggests that exploitation is straightforward if network access exists. The risk remains high due to the potential for complete compromise, even though the overall probability of exploitation is low.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

affected

Version	Status	Constraints
`n/a`	affected	—

Configuration 1 [-]

AND

cpe:2.3:o:dlink:dcs-932l_firmware:2.18.01:*:*:*:*:*:*:*

cpe:2.3:h:dlink:dcs-932l:-:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Dlink

Dcs-932l

80%

Version	Status	Scheme	Platform
`2.18.01`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the device firmware to the latest version released by D‑Link according to the official security bulletin.
If an immediate firmware upgrade is not possible, block or limit external access to the device, and/or filter out requests containing the LightSensorControl parameter via a firewall or proxy.
Apply any available D‑Link patches or hotfixes that address command injection as soon as they are released.

Generated by OpenCVE AI on May 12, 2026 at 21:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00151.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/fru1ts/IoT_vul/blob/main/D-Link/DCS-932L.md
https://www.dlink.com/en/security-bulletin/

History

Tue, 12 May 2026 21:30:00 +0000

Type	Values Removed	Values Added
Title		Command Injection via LightSensorControl in D-Link DCS-932L firmware

Tue, 12 May 2026 19:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Dlink dcs-932l Firmware
CPEs		cpe:2.3:h:dlink:dcs-932l:-:::::::* cpe:2.3:o:dlink:dcs-932l_firmware:2.18.01:::::::*
Vendors & Products		Dlink dcs-932l Firmware

Tue, 12 May 2026 18:00:00 +0000

Type	Values Removed	Values Added
Title	Command Injection via LightSensorControl in D-Link DCS-932L v2.18.01
Weaknesses	CWE-78

Tue, 12 May 2026 15:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-77
Metrics		cvssV3_1 `{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 11 May 2026 19:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Dlink Dlink dcs-932l
Vendors & Products		Dlink Dlink dcs-932l

Mon, 11 May 2026 18:45:00 +0000

Type	Values Removed	Values Added
Title		Command Injection via LightSensorControl in D-Link DCS-932L v2.18.01
Weaknesses		CWE-78

Mon, 11 May 2026 17:30:00 +0000

Type	Values Removed	Values Added
Description		D-Link DCS-932L v2.18.01 is vulnerable to Command Injection in the function sub_42EF14 of the file /bin/alphapd. The manipulation of the argument LightSensorControl leads to command injection.
References		https://github.com/fru1ts/IoT_vul/blob/main/D-Link/DCS-932L.md https://www.dlink.com/en/security-bulletin/

Subscriptions

Dlink Dcs-932l Dcs-932l Firmware

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-05-11T00:00:00.000Z

Updated: 2026-05-12T14:34:05.858Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-36983

Vulnrichment

Updated: 2026-05-12T14:32:17.726Z

NVD

Status : Analyzed

Published: 2026-05-11T18:16:32.610

Modified: 2026-05-12T19:36:42.187

Link: CVE-2026-36983

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-12T21:15:29Z

Weaknesses

CWE-77

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object