CVE-2021-28840

Name: CVE-2021-28840
Creator: NVD / NIST
Published: 2021-08-10T18:15:07.22+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

HIGHCVSS 7.5/10EPSS 2.25%

Last modified Jun 17, 2026

CVE-2021-28840 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. Null Pointer Dereference vulnerability exists in D-Link DAP-2310 2.07.RC031, DAP-2330 1.07.RC028, DAP-2360 2.07.RC043, DAP-2553 3.06.RC027, DAP-2660 1.13.RC074, DAP-2690 3.16.RC100, DAP-2695 1.17.RC063, DAP-3320 1.01.RC014 and DAP-3662 1.01.RC022 in the upload_config function of sbin/httpd binary. When the binary handle the specific HTTP GET request, the content in upload_file variable is NULL in the upload_config function then the strncasecmp would take NULL as first argument, and incur the NULL pointer dereference vulnerability.. EPSS estimates a 2.25% chance of exploitation in the next 30 days.

Description

Null Pointer Dereference vulnerability exists in D-Link DAP-2310 2.07.RC031, DAP-2330 1.07.RC028, DAP-2360 2.07.RC043, DAP-2553 3.06.RC027, DAP-2660 1.13.RC074, DAP-2690 3.16.RC100, DAP-2695 1.17.RC063, DAP-3320 1.01.RC014 and DAP-3662 1.01.RC022 in the upload_config function of sbin/httpd binary. When the binary handle the specific HTTP GET request, the content in upload_file variable is NULL in the upload_config function then the strncasecmp would take NULL as first argument, and incur the NULL pointer dereference vulnerability.

Metrics

CVSS 3.1

7.5/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Probability

2.25%

80.7th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-476

Affected Software

Vendor	Product	Versions
Dlink	Dap-2310 Firmware	2.0.7.rc031
Dlink	Dap-2330 Firmware	1.07.rc028
Dlink	Dap-2360 Firmware	2.07.rc043
Dlink	Dap-2553 Firmware	3.06.rc027
Dlink	Dap-2660 Firmware	1.13.rc074
Dlink	Dap-2690 Firmware	3.16.rc100
Dlink	Dap-2695 Firmware	1.17.rc063
Dlink	Dap-3320 Firmware	1.01.rc014
Dlink	Dap-3662 Firmware	1.01.rc022

References

https://github.com/zyw-200/EQUAFL/blob/main/dlink-email-cve.pdfExploit, Third Party Advisory
https://github.com/zyw-200/EQUAFL/blob/main/dlink-email-cve2.pdfThird Party Advisory
https://www.dlink.com/en/security-bulletin/Vendor Advisory
https://github.com/zyw-200/EQUAFL/blob/main/dlink-email-cve.pdfExploit, Third Party Advisory
https://github.com/zyw-200/EQUAFL/blob/main/dlink-email-cve2.pdfThird Party Advisory
https://www.dlink.com/en/security-bulletin/Vendor Advisory

Timeline

Published: Aug 10, 2021
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2021-28840?

How severe is CVE-2021-28840?

CVE-2021-28840 has a CVSS score of 7.5/10 (HIGH severity). The EPSS model estimates a 2.25% probability of exploitation in the next 30 days.

How do I fix CVE-2021-28840?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2021-28840?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST