D-Link Will Not Patch Critical Vulnerability in 60,000 Old NAS Devices

Security researchers have discovered that over 60,000 D-Link NAS devices, which are no longer supported, are vulnerable to command injection attacks. Although a public exploit for this issue already exists, D-Link developers do not plan to release any patches.

The critical vulnerability, identified as CVE-2024-10914 (with a CVSS score of 9.2), is related to the cgi_user_add command, where the name parameter is not properly sanitized. As a result, an unauthorized attacker can exploit this flaw to inject arbitrary shell commands by sending specially crafted HTTP GET requests to the device.

Affected D-Link NAS Models

• DNS-320 version 1.00
• DNS-320LW version 1.01.0914.2012
• DNS-325 versions 1.01 and 1.02
• DNS-340L version 1.08

The vulnerability was discovered by cybersecurity researcher Netsecfish, who explains that exploitation requires “sending a modified HTTP GET request to the NAS device with malicious input in the name parameter.”

“This curl request forms a URL that triggers the cgi_user_add command with a name parameter containing an injected shell command,” the expert clarifies.

According to Netsecfish, using the FOFA platform, they found 61,147 results and 41,097 unique IP addresses associated with D-Link devices vulnerable to CVE-2024-10914.

D-Link’s Response

D-Link has published a security bulletin confirming the existence of CVE-2024-10914. However, since support for these devices has ended, no patches will be released. The manufacturer recommends that owners stop using the affected NAS products or at least isolate them from the internet.

It’s worth noting that earlier this year, D-Link also declined to fix vulnerabilities CVE-2024-3272 and CVE-2024-3273, which affected over 90,000 outdated NAS devices. Those devices began to be attacked just days after the bugs were disclosed.