D-Link Exposes 60,000+ NAS Devices to Unpatched Critical Flaw

🔐 D-Link network-attached storage (NAS) devices that have reached end-of-life (EoL) are vulnerable to a critical command injection flaw, tracked as CVE-2024–10914. This flaw, with a severity score of 9.2, affects more than 60,000 devices, many of which are used by small businesses. The issue lies in the cgi_user_add command, where unsanitized input can lead to command injection attacks. D-Link has announced it will not issue a fix, leaving these devices exposed.

According to cybersecurity researcher Netsecfish, an attacker could send an HTTP GET request with malicious input in the name parameter, leading to command injection. A search conducted by Netsecfish found 61,147 results on 41,097 unique IP addresses for devices vulnerable to CVE-2024–10914.

D-Link’s official response is that no fix will be issued for this vulnerability. The vendor advises users to:

Earlier in 2024, Netsecfish discovered another flaw, CVE-2024–3273, which allowed arbitrary command injection and contained a hardcoded backdoor, impacting similar models. A scan at the time revealed 92,589 vulnerable devices on the internet.

D-Link’s decision not to fix the flaw has significant implications for small businesses that rely on these NAS devices. For those unable to retire or replace their equipment:

⚠️ Don’t Leave Your Data Exposed! Be proactive in securing your NAS devices by isolating them and implementing strict firewall rules.

For businesses facing security challenges, Wire Tor offers specialized penetration testing services to assess vulnerabilities in network systems and ensure digital assets remain secure. Our team of experts is here to help you secure your infrastructure and safeguard your business from emerging threats.

🔗 Follow Wire Tor on LinkedIn for regular cybersecurity updates!