Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

IoT Security

Many Legacy D-Link NAS Devices Exposed to Remote Attacks via Critical Flaw

D-Link warns of a critical-severity command injection vulnerability impacting multiple discontinued NAS models.

D-Link vulnerabilities

D-Link on Friday warned that multiple discontinued NAS models are affected by a critical-severity command injection vulnerability for which exploit code has been published.

The issue, tracked as CVE-2024-10914 (CVSS score of 9.2), impacts the account management functionality of the affected devices.

Because the name parameter is not properly sanitized when adding a new user, an unauthenticated attacker could supply crafted HTTP GET requests to inject arbitrary shell commands.

According to security researcher Netsecfish, an attacker can exploit the vulnerability by sending “a crafted HTTP GET request to the NAS device with malicious input in the name parameter”.

“The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used,” a NIST advisory reads.

The security defect, Netsecfish says, impacts D-Link DNS-320, DNS-320LW, DNS-325, and DNS-340L NAS models. The researcher warns that more than 61,000 vulnerable devices can be accessed from the internet.

D-Link, however, warns that 16 other discontinued NAS models are affected and that it cannot address the vulnerability, as all development and customer support have ceased. Some of these devices were retired a decade ago.

“This exploit affects legacy D-Link products and all hardware revisions that have reached their end-of-life (‘EOL’)/end-of-service-life (‘EOS’) life cycle. Products that have reached their EOL/EOS no longer receive device software updates and security patches and are no longer supported by D-Link,” the company notes in its advisory.

Advertisement. Scroll to continue reading.

D-Link recommends that its customers retire these products and migrate to supported ones.

US customers who continue to use these devices despite D-Link’s recommendations should ensure they run the latest firmware, the company says.

Users outside the US, however, may use third-party firmware that is available for many of the affected devices, D-Link notes, warning that it does not support such firmware and that installing it voids warranty.

Related: Organizations Warned of Exploited SAP, Gpac and D-Link Vulnerabilities

Related: New Vulnerabilities Expose Hundreds of Thousands of DrayTek Routers to Hacking

Related: Critical Vulnerabilities Expose MoFi Routers to Remote Attacks

Related: Vulnerabilities Allow Hackers to Disrupt, Hijack Schneider PowerLogic Devices

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Network security and compliance assurance firm Titania has appointed Victoria Dimmick as CEO.

Secure browser firm Conceal has appointed Eric Cornelius as Chief Executive Officer.

Shanta Kohli has been named CMO at Sysdig.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.