A critical command injection vulnerability, tracked as CVE-2024-10914, has been identified in over 60,000 D-Link network-attached storage (NAS) devices, with a severity score of 9.2.

A recent FOFA search uncovered 61,147 vulnerable D-Link devices operating across 41,097 unique IP addresses.

The affected models include several versions of the DNS-320, DNS-325, and DNS-340L, which are commonly used by small businesses.

The flaw resides in the 'cgi_user_add' command, where the name parameter is not properly sanitized, allowing unauthenticated attackers to execute arbitrary shell commands.

Security researcher Netsecfish has detailed the exploit method, which involves sending a specially crafted HTTP GET request with malicious input.

D-Link has confirmed that it no longer manufactures NAS devices and that the vulnerable products have reached end-of-life, meaning they will not receive any security updates.

In light of this vulnerability, D-Link has issued a security bulletin stating that no fixes will be provided for CVE-2024-10914 and recommends that users retire affected devices.

For users unable to retire their devices, it is advised to isolate them from the public internet or implement stricter access controls.

This newly discovered vulnerability follows another significant flaw found in April 2024, which also involved arbitrary command injection and a hardcoded backdoor in similar D-Link NAS models.