Details of VAR-202405-0217

ID

VAR-202405-0217

CVE

CVE-2024-5293

TITLE

D-Link Systems, Inc. of DIR-2640 Stack-based buffer overflow vulnerability in firmware

Trust: 0.8

sources: JVNDB: JVNDB-2024-026904

DESCRIPTION

D-Link DIR-2640 HTTP Referer Stack-Based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DIR-2640-US routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within prog.cgi, which handles HNAP requests made to the lighttpd webserver listening on TCP ports 80 and 443. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-21853. D-Link Systems, Inc. (DoS) It may be in a state. D-Link DIR-2640 is a high-power Wi-Fi router from D-Link, a Chinese company. D-Link DIR-2640 has a buffer overflow vulnerability. The vulnerability is caused by the program failing to properly verify the length of the input data

Trust: 2.79

sources: NVD: CVE-2024-5293 // JVNDB: JVNDB-2024-026904 // ZDI: ZDI-24-444 // CNVD: CNVD-2024-26177

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2024-26177

AFFECTED PRODUCTS

vendor:	d link	model:	dir-2640	scope:	-	version:	-	Trust: 2.1
vendor:	dlink	model:	dir-2640	scope:	eq	version:	1.11b02	Trust: 1.0
vendor:	d link	model:	dir-2640	scope:	eq	version:	dir-2640 firmware 1.11b02	Trust: 0.8
vendor:	d link	model:	dir-2640	scope:	eq	version:	-	Trust: 0.8

sources: ZDI: ZDI-24-444 // CNVD: CNVD-2024-26177 // JVNDB: JVNDB-2024-026904 // NVD: CVE-2024-5293

CVSS

SEVERITY

CVSSV2

CVSSV3

zdi-disclosures@trendmicro.com:	CVE-2024-5293
value:	HIGH
Trust: 1.0
OTHER:	JVNDB-2024-026904
value:	HIGH
Trust: 0.8
ZDI:	CVE-2024-5293
value:	HIGH
Trust: 0.7
CNVD:	CNVD-2024-26177
value:	HIGH
Trust: 0.6

CNVD:	CNVD-2024-26177
severity:	HIGH
baseScore:	8.3
vectorString:	AV:A/AC:L/AU:N/C:C/I:C/A:C
accessVector:	ADJACENT_NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	6.5
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

zdi-disclosures@trendmicro.com:	CVE-2024-5293
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	ADJACENT
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.0
Trust: 1.0
OTHER:	JVNDB-2024-026904
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	ADJACENT NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8
ZDI:	CVE-2024-5293
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	ADJACENT
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.0
Trust: 0.7

sources: ZDI: ZDI-24-444 // CNVD: CNVD-2024-26177 // JVNDB: JVNDB-2024-026904 // NVD: CVE-2024-5293

PROBLEMTYPE DATA

problemtype:	CWE-121	Trust: 1.0
problemtype:	Stack-based buffer overflow (CWE-121) [ others ]	Trust: 0.8

sources: JVNDB: JVNDB-2024-026904 // NVD: CVE-2024-5293

EXTERNAL IDS

db:	NVD	id:	CVE-2024-5293	Trust: 3.9
db:	ZDI	id:	ZDI-24-444	Trust: 3.1
db:	JVNDB	id:	JVNDB-2024-026904	Trust: 0.8
db:	ZDI_CAN	id:	ZDI-CAN-21853	Trust: 0.7
db:	CNVD	id:	CNVD-2024-26177	Trust: 0.6

sources: ZDI: ZDI-24-444 // CNVD: CNVD-2024-26177 // JVNDB: JVNDB-2024-026904 // NVD: CVE-2024-5293

REFERENCES

url:	https://www.zerodayinitiative.com/advisories/zdi-24-444/	Trust: 2.4
url:	https://nvd.nist.gov/vuln/detail/cve-2024-5293	Trust: 0.8

sources: CNVD: CNVD-2024-26177 // JVNDB: JVNDB-2024-026904 // NVD: CVE-2024-5293

CREDITS

Nicholas Zubrisky

Trust: 0.7

sources: ZDI: ZDI-24-444

SOURCES

db:	ZDI	id:	ZDI-24-444
db:	CNVD	id:	CNVD-2024-26177
db:	JVNDB	id:	JVNDB-2024-026904
db:	NVD	id:	CVE-2024-5293

LAST UPDATE DATE

2025-08-09T23:09:30.491000+00:00

SOURCES UPDATE DATE

db:	ZDI	id:	ZDI-24-444	date:	2024-07-01T00:00:00
db:	CNVD	id:	CNVD-2024-26177	date:	2024-06-06T00:00:00
db:	JVNDB	id:	JVNDB-2024-026904	date:	2025-08-07T02:12:00
db:	NVD	id:	CVE-2024-5293	date:	2025-08-06T14:26:03.143

SOURCES RELEASE DATE

db:	ZDI	id:	ZDI-24-444	date:	2024-05-24T00:00:00
db:	CNVD	id:	CNVD-2024-26177	date:	2024-06-06T00:00:00
db:	JVNDB	id:	JVNDB-2024-026904	date:	2025-08-07T00:00:00
db:	NVD	id:	CVE-2024-5293	date:	2024-05-23T22:15:15