Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2024-10915

CWE-74CWE-78OS Command InjectionCWE-7076 documents6 sources
Severity
9.2CRITICAL
EPSS
94.2%
top 0.08%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
4
D-link Dns-320D-link Dns-320lwD-link Dns-325+1 more
Timeline
PublishedNov 6

Description

A vulnerability was found in D-Link DNS-320, DNS-320LW, DNS-325 and DNS-340L up to 20241028. It has been rated as critical. Affected by this issue is the function cgi_user_add of the file /cgi-bin/account_mgr.cgi?cmd=cgi_user_add. The manipulation of the argument group leads to os command injection. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used.

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Packages4 packages

CVEListV5d-link/dns-340l20241028
CVEListV5d-link/dns-320lw20241028
CVEListV5d-link/dns-32020241028
CVEListV5d-link/dns-32520241028

🔴Vulnerability Details

3
CVEList
D-Link DNS-320/DNS-320LW/DNS-325/DNS-340L account_mgr.cgi cgi_user_add os command injection2024-11-06
GHSA
GHSA-6cgw-73x3-c2h9: A vulnerability was found in D-Link DNS-320, DNS-320LW, DNS-325 and DNS-340L up to 202410282024-11-06
VulnCheck
D-Link dns-320_firmware Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')2024

💥Exploits & PoCs

1
Nuclei
D-Link NAS - Command Injection via Group Parameter
CVE-2024-10915 (CRITICAL CVSS 9.2) | A vulnerability was found in D-Link | cvebase.io