Over 61,000 vulnerable D-Link network-attached storage (NAS) devices have been identified as having a critical command injection vulnerability, tracked as CVE-2024-10914. This flaw allows unauthenticated attackers to execute arbitrary commands on these devices, posing a significant risk to users worldwide.
The vulnerability affects legacy D-Link NAS models primarily utilized by small businesses, which have reached end-of-life (EOL) status and no longer receive security updates. With a critical CVSS score of 9.2, immediate action is essential to mitigate potential exploitation. D-Link has advised users to either retire affected devices or isolate them from public internet access.
Exploiting this vulnerability requires minimal technical knowledge, as attackers can manipulate the name parameter in the cgi_user_add command to execute malicious shell commands. This could lead to unauthorized control over the device, compromising sensitive data and allowing lateral movement within networks.
D-Link has acknowledged the vulnerability and confirmed that no patches will be provided for EOL devices. Users are urged to upgrade to secure, supported models to protect against potential breaches. Organizations relying on these legacy devices are advised to take immediate action to safeguard their data integrity.