CVE-2024-10915

CVSS v2.0

High

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions D-Link DNS-320, DNS-320LW, DNS-325, and DNS-340L versions up to 20241028

Description A critical issue exists in the cgi user add function of the file /cgi-bin/account mgr.cgi?cmd=cgi user add within the affected D-Link devices. Manipulation of the argument group allows for operating system command injection. This allows a remote attacker to execute arbitrary commands on the system. The complexity of a successful attack is considered high, and while exploitation is difficult, a public exploit is available.

Recommendations Update D-Link DNS-320, DNS-320LW, DNS-325, and DNS-340L to a version later than 20241028.

Exploit

Fix

Improper Neutralization

Special Elements Injection

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-707CWE-74CWE-78

Related Identifiers

BDU:2024-09495

CVE-2024-10915

Affected Products

D-Link Dns-320

D-Link Dns-325

D-Link Dns-340L

CVE-2024-10915

Weakness Enumeration

Related Identifiers

Affected Products

References · 22