D-Link DIR-2640 LocalIPAddress Command Injection Remote Code Execution Vulnerability
Description
D-Link DIR-2640 LocalIPAddress Command Injection Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DIR-2640 routers. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed.
The specific flaw exists within the handling of the LocalIPAddress parameter provided to the HNAP1 endpoint. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. . Was ZDI-CAN-19544.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Command injection in D-Link DIR-2640 router's HNAP1 LocalIPAddress parameter allows authenticated network-adjacent attackers to execute arbitrary code as root.
Vulnerability
The vulnerability is a command injection in the LocalIPAddress parameter of the HNAP1 endpoint on D-Link DIR-2640 routers with firmware versions v1.11B02 and v1.11B02 Beta01 (all A series hardware revisions) [1][2]. The lack of proper validation of user-supplied input before using it in a system call allows injection of arbitrary commands.
Exploitation
An attacker must be network-adjacent and have authenticated access to the router's HNAP interface, though the authentication mechanism can be bypassed (as noted in related ZDI-CAN-19545) [1][2]. The attacker sends a crafted request to the HNAP1 endpoint with a malicious LocalIPAddress parameter, which is then executed as a system command.
Impact
Successful exploitation allows the attacker to execute arbitrary code in the context of root, leading to full compromise of the router's confidentiality, integrity, and availability [2].
Mitigation
D-Link has released a fixed firmware version v1.11B02_Beta_Hotf… (incomplete in reference) for DIR-2640 A series hardware revisions [1]. Users should update to the latest firmware. No workaround is provided; the product may be end-of-life. Not listed on CISA KEV as of publication.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- supportannouncement.us.dlink.com/announcement/publication.aspxmitrevendor-advisory
- www.zerodayinitiative.com/advisories/ZDI-23-539/mitrex_research-advisory
News mentions
0No linked articles in our index yet.