Critical Security Flaw in EoL D-Link NAS Devices That Exposes 61,000 Units Will Not Be Fixed

• Over 61,000 outdated D-Link network-attached storage devices will remain exposed online due to a critical flaw.
• The command injection vulnerability will not be addressed based on the fact it impacts end-of-life models.
• Hackers could exploit the account management script to execute arbitrary commands on these NAS devices.

A critical command injection vulnerability in outdated D-Link network-attached storage (NAS) devices presents a serious risk, as it allows unauthorized attackers to gain control over affected devices by injecting commands via the “name” parameter in the user-add command.

With a critical CVSS score of 9.2, the flaw tracked as CVE-2024-10914 will not get any patches or fixes expected from D-Link due to the end-of-life (EOL) status of the impacted models, Cyble security researchers said.

According to NetSecFish's scan using the FOFA platform, over 61,000 unique IPs expose these vulnerable devices. Due to insufficient input sanitization, attackers can exploit the account management script to execute arbitrary commands, compromising all data stored on the device.

The vulnerability affects multiple legacy D-Link NAS models, including DNS-320, DNS-320LW, DNS-325, and DNS-340L, all categorized as end-of-service (EOS). These models no longer receive firmware updates, rendering users vulnerable to potential data breaches. 

Exploiting the CVE-2024-10914 vulnerability requires minimal technical skill, as attackers can simply send an HTTP GET request to the device’s IP address, embedding malicious code in the “name” parameter. Given the severity and ease of exploitation, immediate mitigation efforts are essential.

Acknowledging the critical nature of this vulnerability, D-Link advises users to either retire these NAS devices or follow specific mitigation steps if retirement isn't feasible:

• Isolate NAS devices from the public internet to prevent external exploitation.
• Implement firewall rules to limit access to trusted internal networks.
• Regularly change and strengthen passwords and enable encryption for wireless connections.

Advanced users may consider installing third-party firmware, though this may void warranties and lacks D-Link support.

Beyond D-Link’s recommendations, Cyble advises organizations to adopt best practices, including network segmentation, scheduled vulnerability scanning, and network traffic monitoring, to minimize exposure to this risk.

For organizations utilizing affected NAS devices, immediate action is imperative—either retiring these units or implementing stringent access controls is essential to maintain data integrity. Upgrading to newer, supported models remains the most effective solution to safeguard critical information.

In other news, CISA identified two critical vulnerabilities in PTZOptics PT30X-SDI/NDI cameras. These allow potential control over cameras, authentication bypass, data exfiltration, or even remote device configuration altering, which could lead to unauthorized access to video feeds and possible data breaches for enterprises.