Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).
CVE-2024-10914
Severity
9.2CRITICAL
EPSS
93.9%
top 0.12%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
Timeline
PublishedNov 6
Latest updateNov 13
Description
A vulnerability was found in D-Link DNS-320, DNS-320LW, DNS-325 and DNS-340L up to 20241028. It has been declared as critical. Affected by this vulnerability is the function cgi_user_add of the file /cgi-bin/account_mgr.cgi?cmd=cgi_user_add. The manipulation of the argument name leads to os command injection. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used.
CVSS vector
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Affected Packages4 packages
🔴Vulnerability Details
3CVEList▶
D-Link DNS-320/DNS-320LW/DNS-325/DNS-340L account_mgr.cgi cgi_user_add os command injection↗2024-11-06
GHSA▶
GHSA-qp96-9hxv-3xx4: A vulnerability was found in D-Link DNS-320, DNS-320LW, DNS-325 and DNS-340L up to 20241028↗2024-11-06
VulnCheck▶
D-Link dns-320_firmware Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')↗2024
💥Exploits & PoCs
1Nuclei▶
D-Link NAS - Command Injection via Name Parameter
🔍Detection Rules
1Suricata▶
ET WEB_SPECIFIC_APPS D-Link NAS OS Command Injection in cgi_user_add Function (CVE-2024-10914)↗2024-11-08