📄 Description (English)
A vulnerability was found in D-Link DCS-935L up to 1.10.01. The impacted element is the function SetDeviceSettings of the file /web/cgi-bin/hnap/hnap_service of the component HNAP Service. The manipulation of the argument AdminPassword results in buffer overflow. The attack can be executed remotely. The exploit has been made public and could be used.
🤖 AI Executive Summary
A critical remote buffer overflow vulnerability exists in D-Link DCS-935L IP cameras (firmware up to 1.10.01) affecting the HNAP service SetDeviceSettings function. The vulnerability allows unauthenticated remote attackers to execute arbitrary code by manipulating the AdminPassword parameter. With public exploits available and no patch currently available, this poses an immediate threat to organizations using these devices for surveillance and security monitoring.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: May 13, 2026 21:36
🇸🇦 Saudi Arabia Impact Assessment
Saudi organizations in banking, government, healthcare, and energy sectors utilizing D-Link DCS-935L cameras for facility security and surveillance face critical risk. ARAMCO facilities, SAMA-regulated financial institutions, NCA government buildings, and healthcare providers (MOH) are particularly vulnerable. Compromised cameras could enable unauthorized facility access, data exfiltration, and lateral network movement. The lack of authentication requirement makes this especially dangerous for perimeter security systems and critical infrastructure monitoring.
🏢 Affected Saudi Sectors
Banking and Financial Services (SAMA-regulated)
Government and Public Administration (NCA oversight)
Healthcare (MOH facilities)
Energy and Utilities (ARAMCO, SEC)
Telecommunications (STC, Mobily)
Critical Infrastructure
Hospitality and Retail
Education
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
9.2
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all D-Link DCS-935L devices in your network using asset discovery tools
2. Isolate affected cameras from critical networks or disable HNAP service if possible
3. Implement network segmentation to restrict access to camera management interfaces
4. Change all default credentials and AdminPassword values immediately
5. Monitor for suspicious HNAP service requests and SetDeviceSettings calls
COMPENSATING CONTROLS:
1. Deploy WAF/IPS rules to block malicious SetDeviceSettings requests with oversized AdminPassword parameters
2. Restrict HNAP service access (port 80/443) to authorized management networks only
3. Implement strict firewall rules limiting camera access to specific subnets
4. Enable detailed logging of all HNAP service activities
5. Deploy network-based intrusion detection signatures for buffer overflow attempts
DETECTION RULES:
1. Monitor for HTTP POST requests to /web/cgi-bin/hnap/hnap_service with AdminPassword parameter exceeding 256 bytes
2. Alert on SetDeviceSettings function calls from unexpected source IPs
3. Track failed authentication attempts followed by HNAP service calls
4. Monitor for process execution or shell spawning from camera processes
PATCHING:
1. Contact D-Link support for firmware updates beyond 1.10.01
2. Evaluate replacement with patched camera models if updates unavailable
3. Consider temporary decommissioning of affected devices until patches available
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تحديد جميع أجهزة D-Link DCS-935L في شبكتك باستخدام أدوات اكتشاف الأصول
2. عزل الكاميرات المتأثرة عن الشبكات الحرجة أو تعطيل خدمة HNAP إن أمكن
3. تطبيق تقسيم الشبكة لتقييد الوصول إلى واجهات إدارة الكاميرا
4. تغيير جميع بيانات الاعتماد الافتراضية وقيم AdminPassword فوراً
5. مراقبة طلبات خدمة HNAP المريبة واستدعاءات SetDeviceSettings
الضوابط التعويضية:
1. نشر قواعد WAF/IPS لحجب طلبات SetDeviceSettings الضارة ذات معاملات AdminPassword الكبيرة
2. تقييد وصول خدمة HNAP (المنفذ 80/443) إلى شبكات الإدارة المصرح بها فقط
3. تطبيق قواعد جدار الحماية الصارمة لتقييد وصول الكاميرا إلى شبكات فرعية محددة
4. تفعيل تسجيل مفصل لجميع أنشطة خدمة HNAP
5. نشر توقيعات كشف الاختراق القائمة على الشبكة لمحاولات تجاوز السعة
قواعد الكشف:
1. مراقبة طلبات HTTP POST إلى /web/cgi-bin/hnap/hnap_service مع معامل AdminPassword يتجاوز 256 بايت
2. تنبيه استدعاءات SetDeviceSettings من عناوين IP غير متوقعة
3. تتبع محاولات المصادقة الفاشلة متبوعة باستدعاءات خدمة HNAP
4. مراقبة تنفيذ العمليات أو توليد shell من عمليات الكاميرا
التصحيح:
1. الاتصال بدعم D-Link للحصول على تحديثات البرامج الثابتة بعد 1.10.01
2. تقييم الاستبدال بنماذج كاميرا مصححة إذا لم تتوفر التحديثات
3. النظر في إيقاف مؤقت للأجهزة المتأثرة حتى توفر التصحيحات
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
A.5.1.1 - Information security policies and procedures
A.6.1.1 - Access control implementation
A.8.1.1 - Asset management and inventory
A.12.2.1 - Change management procedures
A.12.6.1 - Management of technical vulnerabilities
🔵 SAMA CSF
ID.AM-2 - Software platforms and applications are inventoried
PR.AC-1 - Identities and credentials are issued and managed
PR.PT-2 - Removable media is protected and its use restricted
DE.CM-1 - The network is monitored for unauthorized connections
RS.MI-2 - Incidents are mitigated
🟡 ISO 27001:2022
A.5.1 - Management direction for information security
A.6.1 - Screening
A.8.1 - Asset inventory and responsibility
A.12.2 - Change management
A.12.6 - Management of technical vulnerabilities and exposures
🟣 PCI DSS v4.0.1
Requirement 2.1 - Change vendor-supplied defaults
Requirement 6.2 - Security patches installation
Requirement 11.2 - Vulnerability scanning
🔗 References & Sources 5
🔗
https://github.com/0xcc12138/DCS-935L-HNAP-Service-CVE
cna@vuldb.com
Exploit
Third Party Advisory
🔗
https://vuldb.com/submit/809888
cna@vuldb.com
Third Party Advisory
VDB Entry
🔗
https://vuldb.com/vuln/362557
cna@vuldb.com
Third Party Advisory
VDB Entry
🔗
https://vuldb.com/vuln/362557/cti
cna@vuldb.com
Permissions Required
VDB Entry
🔗
https://www.dlink.com/
cna@vuldb.com
Product
📦 Affected Products / CPE 1 entries
dlink:dcs-935l_firmware