Hackers target critical flaw CVE-2024-10914 in EOL D-Link NAS Devices

Article thumbnail image

This post was originally published on Security Affairs. It can be found here.

The exploitation of the recently disclosed ‘won’t fix’ issue CVE-2024-10914 in legacy D-Link NAS devices began days after its disclosure.  

Days after D-Link announced it wouldn’t patch a critical vulnerability, tracked as CVE-2024-10914 (CVSS score of 9.8), in legacy D-Link NAS devices, that threat actors started attempting to exploit.

The vulnerability CVE-2024-10914 is a command injection issue that impacts D-Link DNS-320, DNS-320LW, DNS-325 and DNS-340L up to 20241028.

The flaw could allow remote OS command injection via the cgi_user_add function, according to the advisory the exploitation is complex but possible due to the public availability of an exploit.

The vulnerability resides in the account_mgr.cgi URI of certain D-Link NAS devices. The bug stems for the handling of the name parameter used within the CGI script cgi_user_add command.

“A command injection vulnerability has been identified in the account_mgr.cgi URI of certain D-Link NAS devices. Specifically, the vulnerability exists in the handling of the name parameter used within the CGI script cgi_user_add command.” reads the post published by Netsecfish. “This flaw allows an unauthenticated attacker to inject arbitrary shell commands through crafted HTTP GET requests, affecting over 61,000 devices on the Internet.”

An unauthenticated attacker could exploit the flaw to inject arbitrary shell commands through crafted HTTP GET requests.

“A vulnerability was found in D-Link DNS-320, DNS-320LW, DNS-325 and DNS-340L up to 20241028. It has been declared as critical. Affected by this vulnerability is the function cgi_user_add of the file /cgi-bin/account_mgr.cgi?cmd=cgi_user_add. The manipulation of the argument name leads to os command injection. The attack can be launched remotely. The complexity of an attack is rather high.” reads the advisory. “The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used.”

Shadowserver Foundation researchers observed CVE-2024-10914 explotation attempts starting on November 12th. The experts observed roughly 1,100 Internet-facing devices potentially vulnerable to this issue., most of them in the UK, Hungary, and France.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, D-Link NAS)

This post was originally published on this site

Forum Search

Partners & Sponsors
  • University of Baltimore
  • Towson University
  • Bureau of Justice Assistance
  • National Science Foundation
LATEST FORUM POSTS
Test post2

Test Post2

By Demo User12, 11 months ago

Finding internships

Hello, Has anyone here secured any forensic related internships for 2024? I'm collecting some data and wanted to know what...

By AP Malla, 11 months ago

Beginner network forensic investigation

How should I approach network forensic? Would you recommend learning tools like WireShark?

By AP Malla, 11 months ago

Cyber Forensic Employment: High level guidelines

Understand the Basics: Know the Field: Cyber forensics involves investigating digital crimes, analyzing electronic data, and recovering hidden, deleted, or...

By AP Malla, 12 months ago

LATEST POSTS