How is CVE-2026-12174 exploited?

Network reachability (required): The vulnerable HTTP handler is exposed over the network, so the attacker must be able to reach the device's HTTP service remotely. Authentication (required): The attack requires a low-privilege account on the device; unauthenticated access alone is not sufficient. Victim interaction (not-required): No victim action is needed; the attacker sends a crafted HTTP request directly to the endpoint. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions or specific environmental configuration.

What is the impact of CVE-2026-12174?

An attacker can read arbitrary memory from the device process, exposing stored credentials, session tokens, or configuration data. An attacker can write to arbitrary memory locations, modifying device behavior or injecting malicious logic into the running process. An attacker can crash the HTTP handler or the device firmware process entirely, taking the camera offline and disrupting monitoring coverage. Because confidentiality, integrity, and availability are all fully compromised at the vulnerable component level, an attacker effectively has full control over the affected device.

Back to search

HIGHCVE-2026-12174Published 2026-06-13Modified 2026-06-13CNA VulDB

CVE-2026-12174: D-Link DCS-935L HTTP rhea snprintf format string

A security vulnerability has been detected in D-Link DCS-935L 1.10.01. This issue affects the function snprintf of the file /web/cgi-bin/greece/rhea of the component HTTP Handler. Such manipulation of the argument data leads to format string. The attack may be launched remotely. The exploit has been disclosed publicly and may be used.

CVSS v4.0: 8.7
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A format string vulnerability exists in the D-Link DCS-935L network camera, version 1.10.01, in the HTTP handler component responsible for processing requests to the /web/cgi-bin/greece/rhea endpoint via the snprintf function. The flaw is reachable over the network with low-privilege credentials and no victim interaction required. Successful exploitation gives an attacker full read, write, and crash capability over the affected device. HarborGuard is tracking this advisory and will make a patched-image rebuild available as soon as an upstream fix is published.

HarborGuard Coverage

Detection

Detection of CVE-2026-12174 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built images derived from or bundling the affected D-Link firmware components.

Available

Triage

Triage is available with CVSS v4.0 scoring at 8.7 (HIGH), weighted against each customer organization's compliance policy to determine priority and routing. Findings are surfaced to the appropriate team inbox within each customer org based on configured ownership rules.

Available

Patch

No fix version has been published by D-Link for this vulnerability. HarborGuard re-evaluates the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released; for customers with auto-remediation enabled, that will trigger a rebuild, regression run, and a PR opened against affected workloads without manual intervention.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable HTTP handler is exposed over the network, so the attacker must be able to reach the device's HTTP service remotely.
AuthenticationRequired
The attack requires a low-privilege account on the device; unauthenticated access alone is not sufficient.
Victim interactionNot required
No victim action is needed; the attacker sends a crafted HTTP request directly to the endpoint.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions or specific environmental configuration.

Blast Radius

An attacker can read arbitrary memory from the device process, exposing stored credentials, session tokens, or configuration data.
An attacker can write to arbitrary memory locations, modifying device behavior or injecting malicious logic into the running process.
An attacker can crash the HTTP handler or the device firmware process entirely, taking the camera offline and disrupting monitoring coverage.
Because confidentiality, integrity, and availability are all fully compromised at the vulnerable component level, an attacker effectively has full control over the affected device.

How HarborGuard Handles This

Available on HarborGuard: images containing or derived from the affected D-Link DCS-935L 1.10.01 firmware are flagged immediately upon CVE ingestion, with findings scored at CVSS 8.7 HIGH and routed per each customer's compliance policy. Because no upstream fix exists yet, HarborGuard monitors the VulDB and D-Link advisory feeds on every ingest cycle and will make a patched-image rebuild available the moment a fix version is published. For customers with auto-remediation enabled, that event triggers an automated rebuild, regression test run, and a PR opened against affected workloads. In the interim, compensating controls worth considering include network-policy isolation to restrict HTTP access to the camera's management interface to trusted source addresses only, egress filtering to limit outbound connections from camera hosts, and disabling remote HTTP management if the device firmware provides that option.

See how HarborGuard automates this

Affected packages

D-Link / DCS-935L
1.10.01

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

References

Metrics

Get notified