D-Link DIR-2640 EmailFrom Command Injection Remote Code Execution Vulnerability
Description
D-Link DIR-2640 EmailFrom Command Injection Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DIR-2640 routers. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed.
The specific flaw exists within the handling of the EmailFrom parameter provided to the HNAP1 endpoint. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. . Was ZDI-CAN-19550.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Command injection in D-Link DIR-2640 EmailFrom parameter allows network-adjacent authenticated attackers to execute arbitrary code as root.
Vulnerability
The vulnerability is a command injection in the EmailFrom parameter handled by the HNAP1 endpoint on D-Link DIR-2640 routers with firmware versions v1.11B02 and v1.11B02 Beta01 (all A series hardware revisions) [1]. The flaw results from insufficient validation of user-supplied input before it is used in a system call, allowing an attacker to inject arbitrary commands [2].
Exploitation
An attacker must be network-adjacent and have authenticated access to the router's HNAP1 interface. However, the authentication mechanism can be bypassed, as noted in related vulnerabilities (ZDI-CAN-19549) [2]. The attacker sends a crafted request to the HNAP1 endpoint with a malicious EmailFrom parameter, which is then executed as a system command.
Impact
Successful exploitation allows the attacker to execute arbitrary code in the context of root, leading to full compromise of the router's confidentiality, integrity, and availability [2].
Mitigation
D-Link has released a fixed firmware version v1.11B02_Beta_Hotfix (or similar) for the DIR-2640. Users are advised to update to the latest firmware available from D-Link's support page [1]. No workaround is provided; the only mitigation is to apply the patch.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- supportannouncement.us.dlink.com/announcement/publication.aspxmitrevendor-advisory
- www.zerodayinitiative.com/advisories/ZDI-23-545/mitrex_research-advisory
News mentions
0No linked articles in our index yet.