Name of the Vulnerable Software and Affected Versions
D-Link DNS-320 versions 1.00 through 1.08
D-Link DNS-320LW versions 1.01.0914.2012 and earlier
D-Link DNS-325 versions 1.01 through 1.02
D-Link DNS-340L versions 1.08 and earlier
Description
A critical vulnerability has been found in D-Link DNS devices, allowing remote OS command injection via manipulation of the
cgi user add
function. The vulnerability is due to insufficient validation of the
name
parameter in the
/cgi-bin/account mgr.cgi?cmd=cgi user add
endpoint. This allows unauthenticated attackers to inject arbitrary shell commands, potentially leading to full device control. The issue affects D-Link DNS-320, DNS-320LW, DNS-325, and DNS-340L devices with firmware up to 20241028. Over 61,000 devices are estimated to be vulnerable worldwide.
Recommendations
For D-Link DNS-320 version 1.00, update to a newer version or replace the device as it is end-of-life.
For D-Link DNS-320LW version 1.01.0914.2012 and earlier, update to a newer version or replace the device as it is end-of-life.
For D-Link DNS-325 versions 1.01 through 1.02, update to a newer version or replace the device as it is end-of-life.
For D-Link DNS-340L version 1.08 and earlier, update to a newer version or replace the device as it is end-of-life.
As a temporary workaround, consider restricting access to the
/cgi-bin/account mgr.cgi
endpoint and limiting the use of the
cgi user add
function until a patch is available.
Apply network restrictions and monitor for suspicious activity to minimize the risk of exploitation.