Hackers target critical flaw CVE-2024-10914 in EOL D-Link NAS Devices
November 14, 2024
The exploitation of the recently disclosed ‘won’t fix’ issue CVE-2024-10914 in legacy D-Link NAS devices began days after its disclosure.
Days after D-Link announced it wouldn’t patch a critical vulnerability, tracked as CVE-2024-10914 (CVSS score of 9.8), in legacy D-Link NAS devices, that threat actors started attempting to exploit.
The vulnerability CVE-2024-10914 is a command injection issue that impacts D-Link DNS-320, DNS-320LW, DNS-325 and DNS-340L up to 20241028.
The flaw could allow remote OS command injection via the cgi_user_add function, according to the advisory the exploitation is complex but possible due to the public availability of an exploit.
The vulnerability resides in the account_mgr.cgi
URI of certain D-Link NAS devices. The bug stems for the handling of the name
parameter used within the CGI script cgi_user_add
command.
“A command injection vulnerability has been identified in the account_mgr.cgi URI of certain D-Link NAS devices. Specifically, the vulnerability exists in the handling of the name parameter used within the CGI script cgi_user_add command.” reads the post published by Netsecfish. “This flaw allows an unauthenticated attacker to inject arbitrary shell commands through crafted HTTP GET requests, affecting over 61,000 devices on the Internet.”
An unauthenticated attacker could exploit the flaw to inject arbitrary shell commands through crafted HTTP GET requests.
“A vulnerability was found in D-Link DNS-320, DNS-320LW, DNS-325 and DNS-340L up to 20241028. It has been declared as critical. Affected by this vulnerability is the function cgi_user_add of the file /cgi-bin/account_mgr.cgi?cmd=cgi_user_add. The manipulation of the argument name leads to os command injection. The attack can be launched remotely. The complexity of an attack is rather high.” reads the advisory. “The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used.”
Shadowserver Foundation researchers observed CVE-2024-10914 explotation attempts starting on November 12th. The experts observed roughly 1,100 Internet-facing devices potentially vulnerable to this issue., most of them in the UK, Hungary, and France.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, D-Link NAS)