{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/dcs-935l--1.10.01/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-8260"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["DCS-935L (\u003c= 1.10.01)"],"_cs_severities":["critical"],"_cs_tags":["buffer-overflow","cve","d-link"],"_cs_type":"advisory","_cs_vendors":["D-Link"],"content_html":"\u003cp\u003eD-Link DCS-935L devices running firmware up to version 1.10.01 are susceptible to a buffer overflow vulnerability (CVE-2026-8260) affecting the HNAP (Home Network Administration Protocol) service. The vulnerability resides within the \u003ccode\u003eSetDeviceSettings\u003c/code\u003e function located in \u003ccode\u003e/web/cgi-bin/hnap/hnap_service\u003c/code\u003e. An attacker can remotely exploit this vulnerability by sending a specially crafted request that overflows the buffer allocated for the \u003ccode\u003eAdminPassword\u003c/code\u003e argument. Publicly available exploits exist, increasing the risk of exploitation. This vulnerability poses a significant threat to device confidentiality, integrity, and availability, as successful exploitation can lead to arbitrary code execution and full device compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a D-Link DCS-935L device running vulnerable firmware (\u0026lt;= 1.10.01) accessible over the network.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious HTTP request targeting the \u003ccode\u003e/web/cgi-bin/hnap/hnap_service\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes a \u003ccode\u003eSetDeviceSettings\u003c/code\u003e action with an \u003ccode\u003eAdminPassword\u003c/code\u003e argument containing a payload exceeding the expected buffer size.\u003c/li\u003e\n\u003cli\u003eThe device processes the request, calling the \u003ccode\u003eSetDeviceSettings\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eDue to insufficient bounds checking, the oversized \u003ccode\u003eAdminPassword\u003c/code\u003e argument overwrites adjacent memory on the stack, including the return address.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eSetDeviceSettings\u003c/code\u003e function completes and attempts to return execution to the overwritten return address.\u003c/li\u003e\n\u003cli\u003eThe attacker-controlled return address redirects execution to a malicious code payload injected within the \u003ccode\u003eAdminPassword\u003c/code\u003e argument or elsewhere in memory.\u003c/li\u003e\n\u003cli\u003eThe attacker gains arbitrary code execution on the device, potentially leading to full device compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-8260 can lead to complete compromise of the affected D-Link DCS-935L device. This includes the ability to execute arbitrary code, gain unauthorized access to device settings and sensitive information, and potentially use the device as a bot in a larger attack. Given the widespread use of these devices, a large number of users are potentially at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply available patches or firmware updates from D-Link to mitigate CVE-2026-8260 on affected DCS-935L devices (reference: affected_products).\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests to \u003ccode\u003e/web/cgi-bin/hnap/hnap_service\u003c/code\u003e with unusually long \u003ccode\u003eAdminPassword\u003c/code\u003e values in the request body (reference: rules).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect potential exploitation attempts against the HNAP service (reference: rules).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-11T02:17:24Z","date_published":"2026-05-11T02:17:24Z","id":"https://feed.craftedsignal.io/briefs/2026-05-dlink-dcs-935l-buffer-overflow/","summary":"D-Link DCS-935L devices up to version 1.10.01 are vulnerable to a remote buffer overflow (CVE-2026-8260) in the HNAP service that can be triggered by manipulating the AdminPassword argument in the SetDeviceSettings function.","title":"D-Link DCS-935L HNAP Service Buffer Overflow (CVE-2026-8260)","url":"https://feed.craftedsignal.io/briefs/2026-05-dlink-dcs-935l-buffer-overflow/"}],"language":"en","title":"CraftedSignal Threat Feed — DCS-935L (\u003c= 1.10.01)","version":"https://jsonfeed.org/version/1.1"}