Command Injection Vulnerability in D-Link DCS-5009, DCS-5010, and DCS-5020L Devices

Command Injection Vulnerability in D-Link DCS-5009, DCS-5010, and DCS-5020L Devices

CVE-2017-17020 · MEDIUM Severity

AV:N/AC:L/AU:S/C:P/I:P/A:P

On D-Link DCS-5009 devices with firmware 1.08.11 and earlier, DCS-5010 devices with firmware 1.14.09 and earlier, and DCS-5020L devices with firmware before 1.15.01, command injection in alphapd (binary responsible for running the camera's web server) allows remote authenticated attackers to execute code through sanitized /setSystemAdmin user input in the AdminID field being passed directly to a call to system.

Learn more about our Web App Pen Testing.