CVE-2023-44424
8.00.09%
You've Got Mail (and a Root Shell): D-Link DIR-X3260 Command Injection
Amit Schendel
Senior Security ResearcherJan 1, 2026·5 min read·3 visits
PoC Available
Executive Summary (TL;DR)
Critical OS Command Injection in the `prog.cgi` binary of D-Link DIR-X3260 routers. Attackers on the local network (LAN/Wi-Fi) can inject shell commands via the `EmailTo` parameter in `SetSysEmailSettings`. Frequently chained with CVE-2023-44420 to bypass authentication entirely.
A classic tale of SOHO router insecurity featuring the D-Link DIR-X3260. By abusing the Home Network Administration Protocol (HNAP), an attacker can turn a simple configuration request for email notifications into full root remote code execution. While nominally authenticated, this flaw is practically open season when chained with a sibling authentication bypass.
Official Patches
Technical Appendix
CVSS Score
8.0/ 10
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HEPSS Probability
0.09%
Top 100% most exploited
Affected Systems
D-Link DIR-X3260 (EXO AX3200 Wi-Fi 6 Router)
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
DIR-X3260 D-Link | <= 1.02B02 | 1.03B02 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-78 |
| Attack Vector | Adjacent (AV:A) |
| CVSS | 8.0 (High) |
| Impact | Remote Code Execution (Root) |
| Components | prog.cgi / HNAP |
| Exploit Status | PoC Available (Theoretical) |
MITRE ATT&CK Mapping
CWE-78
OS Command Injection
The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Known Exploits & Detection
Vulnerability Timeline
ZDI publishes advisory ZDI-23-1522
2023-10-18
D-Link releases firmware patch v1.03B02
2023-10-18