Attackers now target a critical severity vulnerability with publicly available exploit code that affects multiple models of end-of-life D-Link network-attached storage (NAS) devices.
Tracked as CVE-2024-10914, the command injection vulnerability was found by security researcher Netsecfish, who also shared exploitation details and said that unauthenticated attackers could exploit it to inject arbitrary shell commands by sending malicious HTTP GET requests to vulnerable NAS devices exposed online.
The affected devices NAS models list includes DNS-320 Version 1.00, DNS-320LW Version 1.01.0914.2012, DNS-325 Version 1.01, Version 1.02, and DNS-340L Version 1.08.
The attacks started after D-Link said on Friday that it wouldn’t fix the security flaw because it only impacts end-of-life NAS models, warning customers to retire affected devices or upgrade them to newer products.
“Products that have reached their EOL/EOS no longer receive device software updates and security patches and are no longer supported by D-Link. D-Link US recommends retiring and replacing D-Link devices that have reached EOL/EOS,” the company said.
However, as the Shadowserver threat monitoring service discovered, threat actors took notice and started targeting the vulnerability on Monday.
“We have observed D-Link NAS CVE-2024-10914 /cgi-bin/account_mgr.cgi command injection exploitation attempts starting Nov 12th. This vuln affects EOL/EOS devices, which should be removed from the Internet,” Shadowserver warned.
While Shadowserver said it spotted just over Internet-exposed 1,100 D-Link NAS devices, Netsecfish said it found over 41,000 unique IP addresses online used by vulnerable devices in an Internet scan with Huashun Xin’an’s FOFA platform.
In April, Netsecfish also reported a hardcoded backdoor and an arbitrary command injection flaw—impacting almost the same D-Link NAS models and collectively tracked as CVE-2024-3273—that can be chained to execute commands on the device remotely.
As a D-Link spokesperson told BleepingComputer in April, the affected NAS devices do not have automatic updating capabilities or customer outreach features to push alerts. Therefore, those using end-of-life devices are advised to restrict access from the Internet as soon as possible, as they’ve been targeted in ransomware attacks in the past.
“Typically, D-Link cannot resolve device or firmware issues for these products since all development and customer support have ceased,” the company noted on Friday.
“D-Link strongly recommends retiring this product and cautions that further use may be risky to connected devices. If US consumers continue to use these devices against D-Link’s recommendation, please ensure the device has the latest firmware.”
Note: This article have been indexed to our site. We do not claim legitimacy, ownership or copyright of any of the content above. To see the article at original source Click Here
Stanley Quencher H2.0 Tumbler with Handle and Straw 14 oz | Flowstate 3-Position Lid | Cup Holder Compatible for Travel | Insulated Stainless Steel Cup | BPA-Free | Azure
$20.00 (as of February 22, 2025 19:40 GMT +00:00 - More infoProduct prices and availability are accurate as of the date/time indicated and are subject to change. Any price and availability information displayed on [relevant Amazon Site(s), as applicable] at the time of purchase will apply to the purchase of this product.)
Lenovo IdeaPad 1 Student Laptop Computer, 15.6" FHD Display, Intel Dual Core Processor, 32GB DDR4 RAM, 1TB PCIe SSD, WiFi 6, Bluetooth 5.2, Type-C, Cloud Grey, Windows 11 Pro, Tichang
$379.05 (as of February 22, 2025 19:36 GMT +00:00 - More infoProduct prices and availability are accurate as of the date/time indicated and are subject to change. Any price and availability information displayed on [relevant Amazon Site(s), as applicable] at the time of purchase will apply to the purchase of this product.)
TUYOHW Metal Planter Box with Trellis Raised Garden Bed with Trellis 71"x35"x16", Trellis with Planter Box & Privacy Screen, Metal Planter Box for Climbing Plants, Vegetable, Vines
$129.48 (as of February 22, 2025 19:40 GMT +00:00 - More infoProduct prices and availability are accurate as of the date/time indicated and are subject to change. Any price and availability information displayed on [relevant Amazon Site(s), as applicable] at the time of purchase will apply to the purchase of this product.)
Hollyland Lark M2S Combo (Camera RX+USB-C RX+ Lightning Cable) Wireless Lavalier Microphone for iPhone/Camera/Android/PC, Titanium Clip, Noise Cancelling, 30H Use, Vlog, Interview, Content Creation
$149.00 (as of February 22, 2025 19:36 GMT +00:00 - More infoProduct prices and availability are accurate as of the date/time indicated and are subject to change. Any price and availability information displayed on [relevant Amazon Site(s), as applicable] at the time of purchase will apply to the purchase of this product.)
