Attackers now goal a crucial severity vulnerability with publicly out there exploit code that impacts a number of fashions of end-of-life D-Hyperlink network-attached storage (NAS) gadgets.
Tracked as CVE-2024-10914, the command injection vulnerability was discovered by safety researcher Netsecfish, who additionally shared exploitation particulars and stated that unauthenticated attackers may exploit it to inject arbitrary shell instructions by sending malicious HTTP GET requests to weak NAS gadgets uncovered on-line.
The affected gadgets NAS fashions record contains DNS-320 Model 1.00, DNS-320LW Model 1.01.0914.2012, DNS-325 Model 1.01, Model 1.02, and DNS-340L Model 1.08.
The assaults began after D-Hyperlink stated on Friday that it would not repair the safety flaw as a result of it solely impacts end-of-life NAS fashions, warning clients to retire affected gadgets or improve them to newer merchandise.
“Merchandise which have reached their EOL/EOS not obtain system software program updates and safety patches and are not supported by D-Hyperlink. D-Hyperlink US recommends retiring and changing D-Hyperlink gadgets which have reached EOL/EOS,” the corporate stated.
Nonetheless, because the Shadowserver menace monitoring service found, menace actors took discover and began focusing on the vulnerability on Monday.
“We’ve got noticed D-Hyperlink NAS CVE-2024-10914 /cgi-bin/account_mgr.cgi command injection exploitation makes an attempt beginning Nov twelfth. This vuln impacts EOL/EOS gadgets, which needs to be faraway from the Web,” Shadowserver warned.
Whereas Shadowserver stated it noticed simply over Web-exposed 1,100 D-Hyperlink NAS gadgets, Netsecfish stated it discovered over 41,000 distinctive IP addresses on-line utilized by weak gadgets in an Web scan with Huashun Xin’an’s FOFA platform.
In April, Netsecfish additionally reported a hardcoded backdoor and an arbitrary command injection flaw—impacting virtually the identical D-Hyperlink NAS fashions and collectively tracked as CVE-2024-3273—that may be chained to execute instructions on the system remotely.
As a D-Hyperlink spokesperson advised BleepingComputer in April, the affected NAS gadgets wouldn’t have automated updating capabilities or buyer outreach options to push alerts. Subsequently, these utilizing end-of-life gadgets are suggested to limit entry from the Web as quickly as potential, as they have been focused in ransomware assaults prior to now.
“Sometimes, D-Hyperlink can not resolve system or firmware points for these merchandise since all growth and buyer help have ceased,” the corporate famous on Friday.
“D-Hyperlink strongly recommends retiring this product and cautions that additional use could also be dangerous to linked gadgets. If US customers proceed to make use of these gadgets in opposition to D-Hyperlink’s suggestion, please make sure the system has the newest firmware.”