CVE-2023-32148

Published: May 3, 2024Modified: Jun 17, 2026

6.5

Vector

CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Exploitability: 2.8 / Impact: 3.6

Source: zdi-disclosures@trendmicro.com (Secondary)

Description

D-Link DIR-2640 HNAP PrivateLogin Authentication Bypass Vulnerability. This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of D-Link DIR-2640 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the web management interface, which listens on TCP port 80 by default. A crafted XML element in the login request can cause authentication to succeed without providing proper credentials. An attacker can leverage this vulnerability to bypass authentication on the system. . Was ZDI-CAN-19545.

Affected (1)

Products: Dlink: Dir 2640 Firmware

1 product

Dir 2640 Firmware

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Dlink Dir 2640 Firmware	Version 1.11b02

Running on/with	Platform Versions
Dlink Dir 2640	All versions

Related CWEs

Incorrect Implementation of Authentication Algorithm

The requirements for the product dictate the use of an established authentication algorithm, but the implementation of the algorithm is incorrect.

References (4)

https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10323

Source: zdi-disclosures@trendmicro.com

ProductVendor Advisory

https://www.zerodayinitiative.com/advisories/ZDI-23-540/

Source: zdi-disclosures@trendmicro.com

Third Party Advisory

https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10323

Source: af854a3a-2127-422b-91ae-364da2661108

ProductVendor Advisory

https://www.zerodayinitiative.com/advisories/ZDI-23-540/

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.