61,000 EoL D-Link NAS Devices Vulnerable to Command Injection

A newly discovered command injection vulnerability has been identified in D-Link NAS devices, affecting around 61,000 units globally. This flaw enables unauthenticated attackers to execute arbitrary shell commands remotely by exploiting a specific parameter in the devices' CGI script, presenting a critical risk for data breaches and ransomware.

The vulnerability, present in the account_mgr.cgi URI, allows remote attackers to exploit the name parameter within the cgi_user_add command, bypassing authentication and injecting harmful shell commands. This flaw was discovered through a technical analysis by researcher NetSecFish, who examined how the name parameter is handled without adequate input sanitization.

By crafting malicious HTTP GET requests, attackers can manipulate this parameter to execute arbitrary commands on affected devices. For instance, a sample cURL command highlights how an attacker can inject commands directly into the NAS system by replacing [Target-IP] with the target's IP address, thus gaining system-level access.

Affected devices and impact

The flaw, tracked under CVE-2024-10914, impacts several NAS models by D-Link, a manufacturer that has since discontinued its NAS lineup, leaving these devices without ongoing support or security patches. The affected models include:

• DNS-320 (Version 1.00)
• DNS-320LW (Version 1.01.0914.2012)
• DNS-325 (Versions 1.01 and 1.02)
• DNS-340L (Version 1.08)

These models are commonly used in home and small business environments to centralize data storage and facilitate networked data sharing, making them particularly vulnerable to remote exploits, given their exposure to the internet.

Exploiting this vulnerability is straightforward for skilled attackers, requiring only a crafted URL to deliver the command injection payload. With these devices connected to the internet, threat actors can use this vulnerability to gain unauthorized access, execute arbitrary commands, and potentially compromise entire systems. This flaw leaves data stored on the NAS devices at risk, and cybercriminals could use the command injection to deploy ransomware, steal sensitive information, or even erase stored files entirely.

D-Link NAS risks

This finding follows an earlier report about another severe command injection vulnerability (CVE-2024-3273) in D-Link NAS devices, where over 92,000 devices were affected. That flaw involved similar command injection issues in D-Link's NAS devices, which were similarly unsupported by the manufacturer due to their end-of-life status.

Soon after that disclosure, reports confirmed active exploitation in the wild, with hackers sharing lists of vulnerable IPs on underground forums to facilitate broader attacks.

Due to the high risk and D-Link's cessation of NAS support, users of the affected models are advised to take immediate defensive measures:

• Retire vulnerable devices or replace them with supported, secure alternatives.
• Isolate NAS devices from internet-facing networks to prevent unauthorized access.
• Implement strict firewall rules to limit access to the NAS devices.
• Regularly monitor access logs for unusual activity and enable alerts for any unauthorized attempts.
• Consider third-party firmware as a temporary measure, though note that D-Link does not endorse or support such firmware.

Update: D-Link published a security bulletin after we published this article confirming that a security update is not coming, while also listing more device models that users should replace.