CVE-2016-11021

HIGH KEV

D-Link DCS-930L Firmware < 2.12 - Remote Code Execution via SystemCommand Parameter

Title source: llm

Exploitation Summary

CVE-2016-11021 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added March 25, 2022. EIP tracks 2 public exploits from researchers including Metasploit, Nicholas Starke <[email protected]>, including a Metasploit module exploits/linux/http/dlink_dcs_930l_authenticated_remote_command_execution.

AI-analyzed exploit summary This Metasploit module exploits an authenticated OS command injection vulnerability in D-Link DCS-930L cameras via the `/setSystemCommand` endpoint. It logs in with provided credentials, triggers a telnet backdoor on a random high port, and establishes an interactive shell session.

Description

setSystemCommand on D-Link DCS-930L devices before 2.12 allows a remote attacker to execute code via an OS command in the SystemCommand parameter.

Exploits (2)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotehardware

https://www.exploit-db.com/exploits/39437

View Code ZIP pw:eip

This Metasploit module exploits an authenticated OS command injection vulnerability in D-Link DCS-930L cameras via the `/setSystemCommand` endpoint. It logs in with provided credentials, triggers a telnet backdoor on a random high port, and establishes an interactive shell session.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: D-Link DCS-930L Network Video Camera (firmware < 2.12)

Auth required

Prerequisites: Network access to the target device · Valid credentials for the D-Link camera web interface

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 18, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by Nicholas Starke <[email protected]> · rubypocunix

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/dlink_dcs_930l_authenticated_remote_command_execution.rb

View Code ZIP pw:eip

This Metasploit module exploits an authenticated OS command injection vulnerability in D-Link DCS-930L cameras via the `/setSystemCommand` endpoint. It authenticates with provided credentials, injects a command to spawn a telnet service, and establishes an interactive shell session.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: D-Link DCS-930L Network Video Camera (firmware < 2.12)

Auth required

Prerequisites: Valid credentials for the D-Link DCS-930L web interface · Network access to the target device

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (2)

Core 2

Core References

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

https://www.exploit-db.com/exploits/39437

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-11021

Scores

CVSS v3 7.2

EPSS 0.6853

EPSS Percentile 99.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable no

Technical Impact total

Details

CISA KEV 2022-03-25

VulnCheck KEV 2021-11-11

InTheWild.io 2022-03-25

ENISA EUVD EUVD-2016-2012

CWE

CWE-78

Status published

Products (1)

dlink/dcs-930l_firmware < 2.12

Published Mar 09, 2020

KEV Added Mar 25, 2022

Tracked Since Feb 18, 2026