Many Legacy D-Link NAS Devices Exposed to Remote Attacks via Critical Flaw

D-Link on Friday warned that multiple discontinued NAS models are affected by a critical-severity command injection vulnerability for which exploit code has been published.

The issue, tracked as CVE-2024-10914 (CVSS score of 9.2), impacts the account management functionality of the affected devices.

Because the name parameter is not properly sanitized when adding a new user, an unauthenticated attacker could supply crafted HTTP GET requests to inject arbitrary shell commands.

According to security researcher Netsecfish, an attacker can exploit the vulnerability by sending “a crafted HTTP GET request to the NAS device with malicious input in the name parameter”.

See more: https://www.securityweek.com/many-legacy-d-link-nas-devices-exposed-to-remote-attacks-via-critical-flaw/

#cybersecurity

nostr:nevent1qqsdepw3x9z978x4smw0ell7l574h4qcdd6u4ape287kkmtcavn67zspzpmhxue69uhkummnw3ezumt0d5hsygqkl5n0qqz57es4r34a0yj7mm6ptpss8tce63zlj0mx7h3ykdzz0gpsgqqqqqqs7x8rk2 

 D-Link won’t fix critical bug in 60,000 exposed EoL modems

Tens of thousands of exposed D-Link routers that have reached their end-of-life are vulnerable to a critical security issue that allows an unauthenticated remote attacker to change any user's password and take complete control of the device.

The vulnerability was discovered in the D-Link DSL6740C modem by security researcher Chaio-Lin Yu (Steven Meow), who reported it to Taiwan’s computer and response center (TWCERTCC).

It is worth noting that the device was not available in the U.S. and reached end-of-service (EoS) phase at the beginning of the year.

See more: https://www.bleepingcomputer.com/news/security/d-link-wont-fix-critical-bug-in-60-000-exposed-eol-modems/

#cybersecurity #dlink

nostr:nevent1qqsdepw3x9z978x4smw0ell7l574h4qcdd6u4ape287kkmtcavn67zspzpmhxue69uhkummnw3ezumt0d5hsygqkl5n0qqz57es4r34a0yj7mm6ptpss8tce63zlj0mx7h3ykdzz0gpsgqqqqqqs7x8rk2