VYPR
← All advisories
High severity8.8NVD Advisory· Published Jun 13, 2026

CVE-2026-12174

CVE-2026-12174

Description

A format string vulnerability in D-Link DCS-935L camera's CGI binary allows authenticated remote attackers to achieve RCE by supplying crafted format specifiers.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A format string vulnerability in D-Link DCS-935L camera's CGI binary allows authenticated remote attackers to achieve RCE by supplying crafted format specifiers.

Vulnerability

A format string vulnerability (CWE-134) exists in the rhea CGI binary of D-Link DCS-935L HD Wi-Fi Camera firmware version 1.10.01 (Build 20161128). The HTTP handler at /web/cgi-bin/greece/rhea uses the snprintf function with user-supplied input from the sn and hwv parameters directly as the format string argument, rather than as a data argument. This allows an attacker to control the format string. The vulnerability is reachable via HTTP requests to /greece/rhea on the camera's web server, requiring authentication except for requests originating from localhost (127.0.0.1), which bypass authentication [1].

Exploitation

An authenticated remote attacker can trigger the vulnerability by crafting HTTP GET requests to /greece/rhea?act=set_sn&sn=%x.%x... (or similar format specifiers). The response includes the leaked stack memory in the sn field, enabling information disclosure. For remote code execution, the attacker can use %n and %hn format specifiers to write arbitrary values to memory locations. The attack requires network access and authentication credentials (or localhost access), but no user interaction beyond the attacker's own requests [1].

Impact

Successful exploitation allows an attacker to achieve remote code execution (RCE) with the privileges of the CGI process (likely root or www-data). It also enables arbitrary read of stack memory, potentially leaking sensitive data such as addresses and credentials. The CVSS v3.1 score is 8.8 (High) with vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating high confidentiality, integrity, and availability impact [1].

Mitigation

As of the publication date (2026-06-13), no official firmware update has been released by D-Link to address this vulnerability. The vendor's website [2] does not mention a patch. The device may be end-of-life; users are advised to restrict network access to the camera (e.g., place it behind a firewall, disable remote management, or isolate it on a separate VLAN) and monitor for vendor updates. Since a public proof of concept exists, immediate mitigation is recommended [1].

References
  1. cve-database/CVE_Report_DLink_DCS935L_Format_String at main · Real-Simplicity/cve-database
  2. Landing

AI Insight generated on Jun 13, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"User-supplied HTTP parameter values are passed directly as the format string argument to snprintf() instead of as a data argument, enabling externally-controlled format string exploitation."

Attack vector

An authenticated attacker sends HTTP GET requests to `/greece/rhea` with parameters such as `act=set_sn&sn=%x.%x...`. The httpd web server routes `/greece/*` paths to the rhea CGI binary via `fork()` + `execve()`. Because the CGI program passes the attacker-controlled parameter value directly as the format string to `snprintf()`, supplying format specifiers like `%x` leaks stack memory, while `%n` and `%hn` allow writing arbitrary values to arbitrary addresses, enabling remote code execution. Requests from localhost (127.0.0.1) bypass authentication entirely, lowering the privilege requirement in some scenarios. [ref_id=1]

Affected code

The vulnerability resides in the CGI binary `/web/cgi-bin/greece/rhea` on the D-Link DCS-935L camera (firmware 1.10.01). The `main()` function and `sub_400D60()` pass user-supplied HTTP parameters `sn` and `hwv` directly as the format string argument to `snprintf()` instead of as a data argument.

What the fix does

The advisory states the immediate fix is to change the vulnerable `snprintf()` calls to use `"%s"` as the format string: `snprintf(s_1, 0x100, "%s", param_value)`. This ensures the user-supplied value is treated as a data argument rather than interpreted as a format string, preventing both memory disclosure via `%x` and arbitrary write via `%n`. No vendor patch has been published. [ref_id=1]

Preconditions

  • networkAttacker must be able to send HTTP requests to the camera's web server on the path /greece/rhea
  • authHTTP Basic/Digest authentication is required unless the request originates from 127.0.0.1 (localhost), which bypasses authentication

Generated on Jun 13, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.