Overview

D-Link has become aware of public vulnerability reporting concerning the DCS-5615 network camera. The public CVE record identifies D-Link DCS-5615 firmware version 1.01.00 and states that the reported issue involves the Boa Webserver configuration file /etc/conf.d/boa/boa.conf, with remote exploitation described in the public record.^[1]

The DCS-5615 has reached End-of-Life / End-of-Service lifecycle status. D-Link recommends that customers retire and replace unsupported products with currently supported products that receive active firmware development and lifecycle support.^[2][3]

D-Link maintains legacy documentation, firmware, and software resources as a convenience for existing owners where those materials remain available. The availability of archive materials does not mean the product is actively supported, updated, or recommended for continued use.^[2]

Network cameras are networked security endpoints. They may process sensitive video, reside on trusted networks, and operate in environments where privacy, security, compatibility, and lifecycle support expectations have changed materially since legacy products were released. For that reason, replacing unsupported devices is the recommended path to reduce exposure.

Before replacing or decommissioning the device, customers should preserve any required video recordings, configuration files, or other operational records according to their own retention and legal requirements.

3rd Party Report Information

Report 1: CVE-2026-11497, published June 8, 2026. The public CVE record states that a vulnerability was reported in D-Link DCS-5615 1.01.00. The record describes an unknown functionality associated with /etc/conf.d/boa/boa.conf in the Boa Webserver component and states that manipulation may lead to a least privilege violation. The record also states that the issue can be attacked remotely and that exploit information has been publicly disclosed.^[1]

Reported / Referenced Model

Lifecycle date note: The public D-Link US legacy archive lists DCS-5615 Last Day of Support in the US as 02/28/2018. For worldwide, 12/15/2019 as the End-of-Service Life date. Confirm the final public date before posting.

D-Link Legacy Archive

D-Link maintains the US legacy archive so owners of legacy products can access final available documentation, firmware, and software resources where those materials remain available. The archive states that resources associated with these products have ceased development, are no longer supported, and that D-Link Systems, Inc. recommends retiring these products and replacing them with products that receive firmware updates.^[2]

Customers outside the United States and Canada should use the applicable regional D-Link support channel or contact their service provider if the device or firmware was supplied through an ISP, carrier, integrator, or managed service provider.^[6][7]

Recommended Customer Actions

• Replace the legacy DCS-5615 with a currently supported product that receives firmware updates and active lifecycle support.
• Before replacement or decommissioning, back up required recordings, configuration settings, or other operational records according to applicable retention requirements.
• If replacement cannot be completed immediately, verify the exact model, hardware revision, region, and current firmware version. Where a newer final firmware remains available in the applicable legacy archive, apply only the correct firmware for that exact model and hardware revision.
•  Use a strong, unique administrator password and change any default, weak, or reused credentials.
•  Do not expose the camera management interface directly to the public internet. Remove unnecessary port forwarding, disable remote management where possible, and use a properly secured VPN or managed access method if remote access is required.
• Limit access to trusted administrators and trusted network segments. For business deployments, place legacy cameras on a segmented network or VLAN and restrict traffic to required services only.
• Review the camera and surrounding network for unusual activity. If compromise is suspected, disconnect the device from the network, preserve relevant records where required, replace the device, and consult qualified cybersecurity support.

Important customer expectation: These steps may reduce exposure while replacement is arranged. They should not be described as a full remediation, a confirmed CVE fix, or a substitute for replacing an unsupported device unless D-Link security and product engineering have validated that position for the exact model, hardware revision, region, and firmware version.

Regional Support and Third-Party Firmware

D-Link US/Canada lifecycle guidance applies to products supported through D-Link US/Canada channels. Customers outside the United States and Canada should consult the applicable regional D-Link office. Customers who received a device or firmware through an Internet service provider, carrier, installer, or managed service provider should contact that provider for product-specific guidance.^[6][7]

D-Link does not test, validate, or support third-party or open-source firmware for this legacy product. Customers who choose to install non-D-Link firmware should understand that D-Link cannot advise on its safety, compatibility, reliability, or suitability for their network or deployment environment.

Source References