CVE-2024-10914

Name of the Vulnerable Software and Affected Versions D-Link DNS-320 versions prior to 20241028 D-Link DNS-320LW versions prior to 20241028 D-Link DNS-325 versions prior to 20241028 D-Link DNS-340L versions prior to 20241028

Description A critical vulnerability exists in D-Link DNS-320, DNS-320LW, DNS-325, and DNS-340L devices. The issue is a command injection flaw located in the

cgi user add

function of the

/cgi-bin/account mgr.cgi?cmd=cgi user add

file. Manipulation of the

name

argument allows for the execution of arbitrary operating system commands. The attack can be launched remotely. Exploitation is considered difficult, but a public exploit is available. Approximately 61,000 devices worldwide are estimated to be affected, with exploitation attempts observed starting November 12th. The vulnerability is due to insufficient input validation of the

name

parameter, enabling attackers to inject shell commands.

Recommendations D-Link DNS-320: As D-Link will not release a patch, replace the device with a supported model or restrict access from external networks. D-Link DNS-320LW: As D-Link will not release a patch, replace the device with a supported model or restrict access from external networks. D-Link DNS-325: As D-Link will not release a patch, replace the device with a supported model or restrict access from external networks. D-Link DNS-340L: As D-Link will not release a patch, replace the device with a supported model or restrict access from external networks.