You've Got Mail (and a Root Shell): D-Link DIR-X3260 Command Injection
Jan 1, 2026·5 min read·1 visit
Executive Summary (TL;DR)
Critical OS Command Injection in the `prog.cgi` binary of D-Link DIR-X3260 routers. Attackers on the local network (LAN/Wi-Fi) can inject shell commands via the `EmailTo` parameter in `SetSysEmailSettings`. Frequently chained with CVE-2023-44420 to bypass authentication entirely.
A classic tale of SOHO router insecurity featuring the D-Link DIR-X3260. By abusing the Home Network Administration Protocol (HNAP), an attacker can turn a simple configuration request for email notifications into full root remote code execution. While nominally authenticated, this flaw is practically open season when chained with a sibling authentication bypass.
Official Patches
Technical Appendix
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HAffected Systems
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
DIR-X3260 D-Link | <= 1.02B02 | 1.03B02 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-78 |
| Attack Vector | Adjacent (AV:A) |
| CVSS | 8.0 (High) |
| Impact | Remote Code Execution (Root) |
| Components | prog.cgi / HNAP |
| Exploit Status | PoC Available (Theoretical) |
MITRE ATT&CK Mapping
The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Known Exploits & Detection
Vulnerability Timeline
Subscribe to updates
Get the latest CVE analysis reports delivered to your inbox.