Name of the Vulnerable Software and Affected Versions
D-Link DNS-320 versions prior to 20241028
D-Link DNS-320LW versions prior to 20241028
D-Link DNS-325 versions prior to 20241028
D-Link DNS-340L versions prior to 20241028
Description
A critical vulnerability exists in D-Link DNS-320, DNS-320LW, DNS-325, and DNS-340L devices. The issue is a command injection flaw located in the
cgi user add
function of the
/cgi-bin/account mgr.cgi?cmd=cgi user add
file. Manipulation of the
name
argument allows for the execution of arbitrary operating system commands. The attack can be launched remotely. Exploitation is considered difficult, but a public exploit is available. Approximately 61,000 devices worldwide are estimated to be affected, with exploitation attempts observed starting November 12th. The vulnerability is due to insufficient input validation of the
name
parameter, enabling attackers to inject shell commands.
Recommendations
D-Link DNS-320: As D-Link will not release a patch, replace the device with a supported model or restrict access from external networks.
D-Link DNS-320LW: As D-Link will not release a patch, replace the device with a supported model or restrict access from external networks.
D-Link DNS-325: As D-Link will not release a patch, replace the device with a supported model or restrict access from external networks.
D-Link DNS-340L: As D-Link will not release a patch, replace the device with a supported model or restrict access from external networks.