Security researcher Netsecfish discovered a critical flaw in several popular D-Link NAS models that could allow an unauthenticated attacker to execute a command injection attack via an HTTP GET request. According to Netsecfish’s Notion site (h/t BleepingComputer), the vulnerability is in the account_mgr.cgi script, where they could add the malicious input in the name parameter to execute the exploit. This issue is tracked in the National Vulnerability Database (NVD) as CVE-2024-10914 and declared a critical flaw with a severity score 9.2.
The following D-Link models are affected by the issue: DNS-320 Version 1.00, DNS-320LW Version 1.01.0914.2012, DNS-325 Version 1.01, Version 1.02, and DNS-340L Version 1.08.
Unfortunately for the users of these devices, D-Link declined to release a security patch for this issue, noting that “Products that have reached their EOL/EOS no longer receive device software updates and security patches and are no longer supported by D-Link.” The affected models have all reached their end-of-life/end-of-service date as of 2020, and “D-Link US recommends retiring and replacing D-Link devices that have reached EOL/EOS.”
Netsecfish conducted an FOFA of the affected D-Link models, and the platform returned 61,147 results with 41,097 unique IP addresses. Although the NVD says that the attack complexity might be high and exploiting the vulnerability is difficult, anyone with the knowledge and capability could theoretically access any of these publicly available D-Link NAS machines.
If you’re using one of these models, it’s highly recommended that you replace your NAS system with one that’s still receiving patches from the manufacturer. If that isn’t possible right now, Netsecfish suggests restricting access to your NAS settings menu/interface to only trusted IP addresses. You could also isolate your NAS from the public internet to ensure that only authorized users can interact with it.
Alternatively, you could look for third-party firmware supporting the affected hardware. However, you must ensure you download the firmware from a trusted source. But if you think it’s time to get a new NAS for your home, office, or business, you should check out our list of the best NAS before picking one to install.