More than 60,000 D-Link network-attached storage devices that have reached end-of-life are vulnerable to a command injection vulnerability with a publicly available exploit.
The flaw, tracked as CVE-2024-10914, has a critical 9.2 severity score and is present in the ‘cgi_user_add’ command where the name parameter is insufficiently sanitized.
An unauthenticated attacker could exploit it to inject arbitrary shell commands by sending specially crafted HTTP GET requests to the devices.
The flaw impacts multiple models of D-Link network-attached storage (NAS) devices that are commonly used by small businesses:
DNS-320 Version 1.00
DNS-320LW Version 1.01.0914.2012
DNS-325 Version 1.01, Version 1.02
DNS-340L Version 1.08
In a technical write-up that provides exploit details, security researcher Netsecfish says that leveraging the vulnerability requires sending "a crafted HTTP GET request to the NAS device with malicious input in the name parameter.”
No comments:
Post a Comment