OS Command Injection Vulnerability in D-Link NAS Products
CVE-2024-10915

9.8CRITICAL

Key Information:

Vendor: D-Link
Status: Dns-320 Firmware
Vendor: CVE Published:; 6 November 2024

Summary

A vulnerability exists in D-Link's DNS-320, DNS-320LW, DNS-325, and DNS-340L NAS devices, specifically within the cgi_user_add function of the /cgi-bin/account_mgr.cgi endpoint. This issue is caused by improper handling of the 'group' argument, which leads to potential OS command injection. Remote attackers can exploit this vulnerability to execute arbitrary commands on the affected devices. Although the complexity of the attack is high, the public disclosure of the exploit raises concerns about the security posture of networks utilizing these devices. Users are advised to apply any available patches or mitigations.

References

https://vuldb.com/?id.283310

https://vuldb.com/?ctiid.283310

https://vuldb.com/?submit.432848

EPSS Score

23% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 6, 2024