More than 60,000 data storage devices from D-Link, which reached the end of their life cycle (EO), turned out to be vulnerable due to a lack of security of the type Command Injection. The vulnerability, designated as CVE-2024-10914, has a critical score of 9.2 points on the CVSS scale and is associated with insufficient cleaning of the name parameter in the command “Cgi_user_add”.
An unauthorized attacker can use this vulnerability to perform arbitrary commands by sending specially formed HTTP checks to the devices. The vulnerability affects several NAS models from D-Link that are popular among small businesses, including DNS-320 (version 1.00), DNS-320LW (version 1.01.0914.2012), DNS-325 (version 1.01 and 1.02), and DNS-340L (version 1.08).
A cybersecurity researcher from Netsecfish published details on how to exploit this vulnerability. By sending a special HTTP request to the NAS device with malicious commands in the name parameter, the researcher demonstrated the process using a Curl command.
During their analysis, NetSecfish discovered more than 61,000 vulnerable D-Link devices on 41,097 unique IP addresses. This put a vast amount of data on all these devices at risk due to the availability of public access.
In a recent security bulletin, D-Link confirmed that no fix for CVE-2024-10914 is planned. The company recommended that users either remove the devices or limit their availability from the Internet.
Back in April of this year, the same researcher revealed a similar vulnerability, CVE-2024-3273, which was related to Command Injection and a built-in backdoor, affecting the same NAS models from D-Link. Online scans at the time showed over 92,000 vulnerable devices. D-Link previously announced that it had halted the