CVE-2016-11021
CVE-2016-11021
Vexday Risk Score
98Fix now
SSVC decision (CISA)
Act
Exploitation + impact → act immediately
CVSS 7.2EPSS 68.5%KEV simPoC públicaNuclei —Metasploit simPatch —
Lifecycle
20 Dec 2015Metasploit module available
09 Mar 2020Published on NVD
25 Mar 2022Active exploitation (CISA KEV)
Recommendation: Patch as soon as possible — active exploitation confirmed.
In short
A D-Link DCS-930L camera before version 2.12 allows attackers to run arbitrary commands on the device by sending specially crafted requests. This means someone could take control of your camera and do whatever they want with it.
Technical detail
OS command injection vulnerability in the setSystemCommand function on D-Link DCS-930L firmware versions prior to 2.12. The SystemCommand parameter is not properly sanitized, allowing unauthenticated or low-privilege remote attackers to execute arbitrary OS commands with device privileges. Exploitation requires network access to the affected endpoint.
Summary generated and translated by AI from the official description.
setSystemCommand on D-Link DCS-930L devices before 2.12 allows a remote attacker to execute code via an OS command in the SystemCommand parameter.
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Affected products
n/a · n/apublic PoCs found — 1
cve_referencewww.exploit-db.com/exploits/39437unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →