A severe security flaw in outdated D-Link network-attached storage (NAS) devices leaves over 61,000 units exposed online with no patches.
Researchers have identified a command injection vulnerability in several legacy D-Link NAS models, posing a critical security risk. Tracked as CVE-2024-10914, this flaw allows unauthorized attackers to gain control by injecting commands through the “name” parameter in the device’s user-add command.
With a critical CVSS score of 9.2, this vulnerability demands immediate mitigation efforts, especially since these devices no longer receive updates.
Affected End-of-Life Devices
The vulnerability impacts multiple D-Link NAS models, including DNS-320, DNS-320LW, DNS-325, and DNS-340L, all of which have reached end-of-life (EOL) status. D-Link categorizes these devices as end-of-service (EOS), meaning they no longer receive firmware updates or support, leaving users without an official patch.
Due to insufficient input sanitization, attackers can manipulate the account management script to execute arbitrary commands, potentially compromising all data stored on the device.
According to a FOFA platform scan by security researcher NetSecFish, over 61,000 unique IPs expose vulnerable devices, revealing the scale of potential risk.
Also read: Beware of Active Exploitation: Critical Vulnerabilities in D-Link NAS Devices Exposes 92,000 Devices
Exploitation and Attack Simplicity
Exploiting CVE-2024-10914 requires minimal technical skills. Attackers simply send an HTTP GET request to the device’s IP address, embedding malicious code in the “name” parameter. A sample attack command could look like this:
The vulnerability, classified as command injection (CWE-77), enables attackers to seize control over vulnerable NAS devices, potentially accessing stored data and infiltrating broader network areas.
D-Link’s Advisory and Recommendations
D-Link acknowledges the severity of this vulnerability but confirms no fix will be issued due to the EOL status of affected models. The company advises users to retire these devices or, if retirement isn’t feasible, follow certain mitigation steps:
- Disconnect from Public Internet: Isolate NAS devices from the public internet to prevent external exploitation.
- Restrict Device Access: Use firewall rules to limit access to trusted internal networks.
- Update Device Credentials: Regularly change and strengthen passwords, and enable encryption for wireless connections.
- Consider Third-Party Firmware: Advanced users can opt for third-party firmware, though this may void warranties and lacks D-Link support.
Beyond D-Link’s recommendations, cybersecurity firm Cyble recommended organizations to adopt best practices like network segmentation, scheduled vulnerability scanning, and network traffic monitoring, to minimize exposure to this risk.
As D-Link’s affected NAS devices will not receive patches, CVE-2024-10914 underscores the risks of using unsupported hardware. Immediate action is crucial—either retiring these devices or implementing strict access controls to secure data integrity. Upgrading to newer, supported models remains the most effective solution for safeguarding critical information.
