Forwarded from lumu's summertime saasneen (lana del rey cried from high temperatures) (Maya)
There's a critical vulnerability in D-Link NAS devices (CVE-2024-10914: NVD Details) that allows anyone to execute arbitrary commands via an HTTP request.
D-Link won’t fix it, claiming the affected devices are too old—even though some are under 10 years old.
In a technical write-up that provides exploit details, security researcher Netsecfish says that leveraging the vulnerability requires sending "a crafted HTTP GET request to the NAS device with malicious input in the name parameter.”
Bleeping Computer Article
YouTube Technical Breakdown by Low Level
D-Link won’t fix it, claiming the affected devices are too old—even though some are under 10 years old.
In a technical write-up that provides exploit details, security researcher Netsecfish says that leveraging the vulnerability requires sending "a crafted HTTP GET request to the NAS device with malicious input in the name parameter.”
curl "http://[Target-IP]/cgi-bin/account_mgr.cgi cmd=cgi_user_add&name=%27;<INJECTED_SHELL_COMMAND>;%27"
Bleeping Computer Article
YouTube Technical Breakdown by Low Level
BleepingComputer
D-Link won’t fix critical flaw affecting 60,000 older NAS devices
More than 60,000 D-Link network-attached storage devices that have reached end-of-life are vulnerable to a command injection vulnerability with a publicly available exploit.