Stack-based Buffer Overflow in D-Link DCS Series Wi-Fi Cameras
CVE-2019-10999

8.8HIGH

Key Information:

Vendor: D-Link
Status: Dcs-930l Firmware
Vendor: CVE Published:; 6 May 2019

Badges

👾 Exploit Exists🟡 Public PoC🟣 EPSS 26%

Summary

The D-Link DCS series of Wi-Fi cameras are vulnerable to a stack-based buffer overflow in their internal web server, alphapd. This vulnerability allows a remotely authenticated attacker to execute arbitrary code by sending a maliciously crafted long string through the WEPEncryption parameter when accessing the wireless.htm page. Affected models include several DCS series cameras such as DCS-5009L, DCS-5010L, and more, with specific firmware versions listed. This issue poses significant security risks, as it could enable attackers to gain unauthorized access and control over the devices.

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2019-10999
Created by tacnetsol

CVE-2019-10999
Created by qjh2333

References

https://github.com/fuzzywalls/CVE-2019-10999

x_refsource_MISC

https://supportannouncement.us.dlink.com/announcement/pub...

x_refsource_CONFIRM

EPSS Score

26% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

🟡
Public PoC available
Mar 9, 2022
Vulnerability published
May 6, 2019
Vulnerability Reserved
Apr 8, 2019
👾
Exploit known to exist
Jan 23, 2019