CVE-2024-10914: D-Link DNS-320/DNS-320LW/DNS-325/DNS-340L account_mgr.cgi cgi_user_add os command injection
First published: Wed Nov 06 2024(Updated: )
A vulnerability was found in D-Link DNS-320, DNS-320LW, DNS-325 and DNS-340L up to 20241028. It has been declared as critical. Affected by this vulnerability is the function cgi_user_add of the file /cgi-bin/account_mgr.cgi?cmd=cgi_user_add. The manipulation of the argument name leads to os command injection. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used.
Credit: cna@vuldb.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| All of | ||
| D-Link DNS-320 | ||
| D-Link DNS-320L | ||
| All of | ||
| Dell DNS-320LW Firmware | ||
| Dlink Dns-320lw Firmware | ||
| All of | ||
| D-Link DNS-325 Firmware | ||
| Dlink DNS-325 | ||
| All of | ||
| D-Link DNS-340L Firmware | ||
| Dlink DNS-340L Firmware |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.bleepingcomputer.com/news/security/d-link-wont-fix-critical-flaw-affecting-60-000-older-nas-devices/
- https://netsecfish.notion.site/Command-Injection-Vulnerability-in-name-parameter-for-D-Link-NAS-12d6b683e67c80c49ffcc9214c239a07?pvs=4
- https://vuldb.com/?ctiid.283309
- https://vuldb.com/?id.283309
- https://vuldb.com/?submit.432847
- https://www.dlink.com/
- https://www.bleepingcomputer.com/news/security/critical-bug-in-eol-d-link-nas-devices-now-exploited-in-attacks/
- https://www.theregister.com/2024/11/18/teenage_serial_swatterforhire_busted/
- https://www.bleepingcomputer.com/news/security/d-link-urges-users-to-retire-vpn-routers-impacted-by-unfixed-rce-flaw/
Frequently Asked Questions
What is the severity of CVE-2024-10914?
CVE-2024-10914 has been declared as critical.
Which D-Link devices are affected by CVE-2024-10914?
CVE-2024-10914 affects the D-Link DNS-320, DNS-320LW, DNS-325, and DNS-340L.
What type of vulnerability is described by CVE-2024-10914?
CVE-2024-10914 is classified as a command injection vulnerability.
How does CVE-2024-10914 exploit the system?
The vulnerability exploits the function cgi_user_add by manipulating its argument name.
Is there a fix available for CVE-2024-10914?
D-Link has announced that they will not be fixing CVE-2024-10914.
- agent/title
- agent/weakness
- agent/type
- agent/first-publish-date
- agent/description
- agent/author
- collector/bleeping-computer
- source/BleepingComputer
- alias/CVE-2024-10914
- alias/CVE-2024-3273
- agent/severity
- collector/the-register
- source/The Register
- alias/CVE-2021-41277
- alias/CVE-2024-11068
- alias/CVE-2024-11067
- alias/CVE-2024-11066
- agent/references
- agent/event
- agent/last-modified-date
- collector/mitre-cve
- source/MITRE
- agent/trending
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/dlink
- canonical/d-link dns-320
- canonical/d-link dns-320l
- canonical/dell dns-320lw firmware
- canonical/dlink dns-320lw firmware
- canonical/d-link dns-325 firmware
- canonical/dlink dns-325
- canonical/d-link dns-340l firmware
- canonical/dlink dns-340l firmware