D-Link confirms critical flaw affecting over 60,000 end-of-life NAS devices, won't be patched
Take action: If you are running D-Link NAS devices, be aware that they are no longer supported and considered end-of-life. This means that you won't get any patches. As a first step, isolate them from the internet and make them accessible only from a trusted network, then plan to replace them soon.
Learn More
D-Link has confirmed the existence of a critical security vulnerability affecting over 60,000 end-of-life network-attached storage (NAS) devices.
The vulnerability is tracked as CVE-2024-10914 (CVSS score 9.2) and is a command injection flaw present in the 'cgi_user_add' command where the name parameter lacks proper input sanitization. The vulnerability allows unauthenticated attackers to inject arbitrary shell commands through specially crafted HTTP GET requests.
curl "http://[Target-IP]/cgi-bin/account_mgr.cgi cmd=cgi_user_add&name=%27;<INJECTED_SHELL_COMMAND>;%27"
The exploitation of this vulnerability is relatively straightforward, requiring only a crafted HTTP GET request to the target device's name parameter. Security researcher Netsecfish identified 61,147 vulnerable devices across 41,097 unique IP addresses through the FOFA platform.
Affected D-Link NAS Models:
- DNS-320 Version 1.00
- DNS-320LW Version 1.01.0914.2012
- DNS-325 Version 1.01, Version 1.02
- DNS-340L Version 1.08
D-Link has officially stated they will not provide a security fix for CVE-2024-10914, as these devices have reached end-of-life status. The company no longer manufactures NAS devices and recommends users retire the vulnerable products.
Users should first isolate devices from public internet access and retire the vulnerable devices.
