Back to KEVs

CVE-2024-10914

D-Link DNS-320/DNS-320LW/DNS-325/DNS-340L account_mgr.cgi cgi_user_add os command injection

Basic Information

CVE State: PUBLISHED
Reserved Date: November 06, 2024
Published Date: November 06, 2024
Last Updated: November 24, 2024
Vendor: D-Link
Product: DNS-320, DNS-320LW, DNS-325, DNS-340L
Description: A vulnerability was found in D-Link DNS-320, DNS-320LW, DNS-325 and DNS-340L up to 20241028. It has been declared as critical. Affected by this vulnerability is the function cgi_user_add of the file /cgi-bin/account_mgr.cgi?cmd=cgi_user_add. The manipulation of the argument name leads to os command injection. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. In D-Link DNS-320, DNS-320LW, DNS-325 and DNS-340L bis 20241028 wurde eine kritische Schwachstelle ausgemacht. Hierbei betrifft es die Funktion cgi_user_add der Datei /cgi-bin/account_mgr.cgi?cmd=cgi_user_add. Durch Manipulation des Arguments name mit unbekannten Daten kann eine os command injection-Schwachstelle ausgenutzt werden. Umgesetzt werden kann der Angriff über das Netzwerk. Die Komplexität eines Angriffs ist eher hoch. Sie gilt als schwierig ausnutzbar. Der Exploit steht zur öffentlichen Verfügung.

CVSS Scores

CVSS v4.0

9.2 - CRITICAL

Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CVSS v3.1

8.1 - HIGH

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v3.0

8.1 - HIGH

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2.0

7.6 -

Vector: AV:N/AC:H/Au:N/C:C/I:C/A:C

EPSS Score

Score: 93.94% (Percentile: 99.87%) as of 2025-04-29

SSVC Information

Exploitation: poc
Automatable: Yes
Technical Impact: total

Exploit Status

Exploited in the Wild: Yes (added 2025-04-23 00:00:00 UTC) Source

References

https://vuldb.com/?id.283309 https://vuldb.com/?ctiid.283309 https://vuldb.com/?submit.432847 https://netsecfish.notion.site/Command-Injection-Vulnerability-in-name-parameter-for-D-Link-NAS-12d6b683e67c80c49ffcc9214c239a07?pvs=4 https://www.dlink.com/

Known Exploited Vulnerability Information

Source	Added Date
The Shadowserver (via CIRCL)	2025-04-24 00:00:00 UTC

Scanner Integrations

Scanner	URL	Date Detected
Nuclei	https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-10914.yaml	2025-04-26 00:00:00 UTC

Potential Proof of Concepts

Warning: These PoCs have not been tested and could contain malware. Use at your own risk.

K3ysTr0K3R/CVE-2024-10914-EXPLOIT

Type: github • Created: 2024-11-27 23:10:20 UTC • Stars: 3

A PoC exploit for CVE-2024-10914 - D-Link Remote Code Execution (RCE)

ThemeHackers/CVE-2024-10914

Type: github • Created: 2024-11-16 16:32:05 UTC • Stars: 5

CVE-2024-10914 is a critical command injection vulnerability affecting several legacy D-Link Network Attached Storage (NAS) devices.

verylazytech/CVE-2024-10914

Type: github • Created: 2024-11-10 12:01:21 UTC • Stars: 44

POC - CVE-2024–10914- Command Injection Vulnerability in `name` parameter for D-Link NAS

imnotcha0s/CVE-2024-10914

Type: github • Created: 2024-11-09 19:30:39 UTC • Stars: 11

Exploit for cve-2024-10914: D-Link DNS-320, DNS-320LW, DNS-325, DNS-340L Version 1.00, Version 1.01.0914.2012, Version 1.01, Version 1.02, Version 1.08 Command Injection