Today's cybersecurity headlines are brought to you by ThreatPerspective
Ethical Hacking News

Hacking the Unpatched: The Looming Threat of CVE-2024-10914 on D-Link NAS Devices


Hackers are now exploiting a critical vulnerability in legacy D-Link NAS devices that was recently disclosed. The CVE-2024-10914 flaw allows remote OS command injection, making it a potential threat to millions of devices worldwide.

  • A critical vulnerability, CVE-2024-10914 (CVSS score of 9.8), has been disclosed in legacy D-Link NAS devices, allowing remote OS command injection via the cgi_user_add function.
  • The vulnerability resides in the handling of the name parameter within the CGI script cgi_user_add command.
  • Over 61,000 devices worldwide are affected by this flaw, with roughly 1,100 Internet-facing devices in the UK, Hungary, and France potentially vulnerable.
  • D-Link will not patch this vulnerability, despite it being publicly disclosed.
  • The exploitation of CVE-2024-10914 is complex but possible due to the public availability of an exploit.
  • Devices impacted by this vulnerability include D-Link DNS-320, DNS-320LW, DNS-325, and DNS-340L up to 20241028.



    • A recent vulnerability, tracked as CVE-2024-10914 (CVSS score of 9.8), has been disclosed in legacy D-Link NAS devices. This critical flaw allows remote OS command injection via the cgi_user_add function, making it a potential threat to millions of devices worldwide.


    The vulnerability resides in the account_mgr.cgi URI of certain D-Link NAS devices. It stems from the handling of the name parameter used within the CGI script cgi_user_add command. An unauthenticated attacker could exploit this flaw to inject arbitrary shell commands through crafted HTTP GET requests, affecting over 61,000 devices on the Internet.

    Shadowserver Foundation researchers observed CVE-2024-10914 exploitation attempts starting on November 12th. The experts noticed roughly 1,100 Internet-facing devices potentially vulnerable to this issue, most of them in the UK, Hungary, and France.


    D-Link announced it wouldn’t patch a critical vulnerability, tracked as CVE-2024-10914 (CVSS score of 9.8), in legacy D-Link NAS devices, days after its disclosure. The exploitation of this recently disclosed ‘won’t fix’ issue began just days after the announcement that the vulnerability wouldn't be patched.


    The exploitation of CVE-2024-10914 is complex but possible due to the public availability of an exploit. This critical flaw allows remote OS command injection via the cgi_user_add function, which could lead to a range of potential attacks and exploits.


    D-Link DNS-320, DNS-320LW, DNS-325, and DNS-340L up to 20241028 are impacted by this vulnerability. The Shadowserver Foundation researchers observed roughly 1,100 Internet-facing devices potentially vulnerable to this issue, most of them in the UK, Hungary, and France.


    To contact me write an email to: Pierluigi Paganini : pierluigi@securityaffairs.com



    Related Information:

  • https://securityaffairs.com/170995/iot/cve-2024-10914-d-link-nas-flaw-exploited.html


    • Published: Thu Nov 14 19:04:36 2024 by llama3.2 3B Q4_K_M


         


    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us