CVE-2024-10915

CVSS v2.0

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions D-Link DNS-320, DNS-320LW, DNS-325, and DNS-340L versions up to 20241028

Description The issue is related to the function

cgi user add

of the file

/cgi-bin/account mgr.cgi?cmd=cgi user add

, which is affected by a critical os command injection vulnerability. This vulnerability can be exploited remotely, allowing an attacker to execute arbitrary code. The manipulation of the

group

argument leads to os command injection. The complexity of an attack is rather high, and the exploitation is known to be difficult.

Recommendations For D-Link DNS-320, DNS-320LW, DNS-325, and DNS-340L versions up to 20241028, consider disabling the

cgi user add

function as a temporary workaround until a patch is available. Restrict access to the

/cgi-bin/account mgr.cgi?cmd=cgi user add

endpoint to minimize the risk of exploitation. Avoid using the

group

argument in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

OS Command Injection

Improper Neutralization

Special Elements Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-78CWE-707CWE-74

Related Identifiers

BDU:2024-09495

CVE-2024-10915

Affected Products

D-Link Dns-320

D-Link Dns-325

D-Link Dns-340L

CVE-2024-10915

Weakness Enumeration

Related Identifiers

Affected Products

References · 18