Critical Vulnerability in D-Link NAS Devices

A critical security vulnerability has been identified in D-Link NAS (Network-Attached Storage) devices. If exploited, this vulnerability could allow attackers to execute malicious code on the devices, posing a serious threat to system and data security.

The vulnerability, identified as CVE-2024-10914, has received a CVSSv4 score of 9.2 (very high risk). This issue affects various models of D-Link NAS devices, enabling attackers to execute commands without authentication. This can result in unauthorized access, data theft or modification, and even system compromise.

The vulnerability lies in the account_mgr.cgi script, specifically in the name parameter of the cgi_user_add command. Attackers can exploit this by sending specially crafted HTTP GET requests. Due to inadequate input validation, attackers can inject arbitrary commands and have them executed on the device.

When CVE-2024-10914 is successfully exploited, it can lead to the following risks:

  • Unauthorized access to the NAS device
  • Execution of commands with root privileges
  • Data theft or modification
  • Installation of malware, compromising the device’s stability

This vulnerability affects the following D-Link NAS models:

  • DNS-320, version 1.00
  • DNS-320LW, version 1.01.0914.2012
  • DNS-325, versions 1.01 and 1.02
  • DNS-340L, version 1.08

To address this vulnerability, UZCERT recommends the following security measures:

  1. Update the firmware: Install the latest updates released by D-Link as soon as possible.
  2. Restrict network access: Allow access to the NAS management interface only from trusted IP addresses.
  3. Monitor for updates: Regularly check for new security updates from D-Link.
  4. Network segmentation: If possible, isolate NAS devices from the internet and other critical network segments.
  5. Regular security audits: Conduct regular security assessments of your network infrastructure, especially NAS devices.

Implementing these security measures as soon as possible is essential to protect your devices and data. Share this information with your partners and relevant divisions, and share any additional findings or information.

Skip to content