CVE-2024-10915
Published: 06 November 2024
Summary
CVE-2024-10915 is a critical-severity Injection (CWE-74) vulnerability in Dlink Dns-320 Firmware. Its CVSS base score is 9.2 (Critical).
Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
A vulnerability rated critical exists in several D-Link NAS models including DNS-320, DNS-320LW, DNS-325, and DNS-340L up to the 20241028 firmware release. It resides in the cgi_user_add function within /cgi-bin/account_mgr.cgi when handling the group argument, allowing OS command injection as indicated by the associated CWEs for injection flaws. The issue can be reached over the network and carries a CVSS 4.0 score of 9.2 reflecting high impact on confidentiality, integrity, and availability under conditions of high attack complexity.
An unauthenticated remote attacker can supply a crafted group parameter to the affected CGI endpoint. Successful exploitation yields arbitrary operating-system command execution on the device, though the attack is described as difficult and complex to carry out. Public exploit code has been released, enabling potential use by threat actors who can reach the NAS management interface.
The provided references point to detailed technical write-ups and the vendor site but contain no explicit statements on patches, firmware updates, or other mitigations. The EPSS score remains elevated near 0.94 with negligible movement between its recorded peak and current value.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-33345
Vulnerability details
A vulnerability was found in D-Link DNS-320, DNS-320LW, DNS-325 and DNS-340L up to 20241028. It has been rated as critical. Affected by this issue is the function cgi_user_add of the file /cgi-bin/account_mgr.cgi?cmd=cgi_user_add. The manipulation of the argument group leads to…
more
os command injection. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Developer assessments and testing (including injection-focused techniques) identify improper neutralization of special elements, and the verifiable flaw remediation corrects them pre-deployment.
Enforces use of documented standards and tool configurations that address proper neutralization of inputs/outputs during development.
Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.
Validates inputs to block special elements that would alter OS command execution.
Identifies indicators of injection attacks (command, SQL, LDAP, etc.) via anomaly and attack monitoring.