Many Legacy D-Link NAS Devices Exposed to Remote Attacks via Critical Flaw

D-Link on Friday warned that multiple discontinued NAS models are affected by a critical-severity command injection vulnerability for which exploit code has been published.

The issue, tracked as CVE-2024-10914 (CVSS score of 9.2), impacts the account management functionality of the affected devices.

Because the name parameter is not properly sanitized when adding a new user, an unauthenticated attacker could supply crafted HTTP GET requests to inject arbitrary shell commands.

According to security researcher Netsecfish, an attacker can exploit the vulnerability by sending “a crafted HTTP GET request to the NAS device with malicious input in the name parameter”.

See more: https://www.securityweek.com/many-legacy-d-link-nas-devices-exposed-to-remote-attacks-via-critical-flaw/

#cybersecurity

nostr:nevent1qqsdepw3x9z978x4smw0ell7l574h4qcdd6u4ape287kkmtcavn67zspzpmhxue69uhkummnw3ezumt0d5hsygqkl5n0qqz57es4r34a0yj7mm6ptpss8tce63zlj0mx7h3ykdzz0gpsgqqqqqqs7x8rk2