// For flags

CVE-2024-10915

D-Link DNS-320/DNS-320LW/DNS-325/DNS-340L account_mgr.cgi cgi_user_add os command injection

Severity Score

9.2
*CVSS v4

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

1
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Attend
*SSVC
Descriptions

A vulnerability was found in D-Link DNS-320, DNS-320LW, DNS-325 and DNS-340L up to 20241028. It has been rated as critical. Affected by this issue is the function cgi_user_add of the file /cgi-bin/account_mgr.cgi?cmd=cgi_user_add. The manipulation of the argument group leads to os command injection. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used.

Eine kritische Schwachstelle wurde in D-Link DNS-320, DNS-320LW, DNS-325 and DNS-340L bis 20241028 ausgemacht. Davon betroffen ist die Funktion cgi_user_add der Datei /cgi-bin/account_mgr.cgi?cmd=cgi_user_add. Mittels dem Manipulieren des Arguments group mit unbekannten Daten kann eine os command injection-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk erfolgen. Die Komplexität eines Angriffs ist eher hoch. Sie ist schwierig ausnutzbar. Der Exploit steht zur öffentlichen Verfügung.

*Credits: netsecfish
CVSS Scores
Attack Vector
Network
Attack Complexity
High
Attack Requirements
None
Privileges Required
None
User Interaction
None
System
Vulnerable | Subsequent
Confidentiality
High
None
Integrity
High
None
Availability
High
None
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
High
Authentication
None
Confidentiality
Complete
Integrity
Complete
Availability
Complete
* Common Vulnerability Scoring System
SSVC
  • Decision:Attend
Exploitation
Poc
Automatable
No
Tech. Impact
Total
* Organization's Worst-case Scenario
Timeline
  • 2024-11-06 CVE Reserved
  • 2024-11-06 CVE Published
  • 2024-11-06 CVE Updated
  • 2024-11-06 First Exploit
  • 2025-01-08 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
  • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
  • CWE-707: Improper Neutralization
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Dlink
Search vendor "Dlink"
 Dns-320 Firmware
Search vendor "Dlink" for product "Dns-320 Firmware"
*-
Affected
Dlink
Search vendor "Dlink"
 Dns-320lw Firmware
Search vendor "Dlink" for product "Dns-320lw Firmware"
*-
Affected
Dlink
Search vendor "Dlink"
 Dns-325 Firmware
Search vendor "Dlink" for product "Dns-325 Firmware"
*-
Affected
Dlink
Search vendor "Dlink"
 Dns-340l Firmware
Search vendor "Dlink" for product "Dns-340l Firmware"
*-
Affected
D-link
Search vendor "D-link"
 Dns-320
Search vendor "D-link" for product "Dns-320"
*-
Affected
D-link
Search vendor "D-link"
 Dns-320lw
Search vendor "D-link" for product "Dns-320lw"
*-
Affected
D-link
Search vendor "D-link"
 Dns-325
Search vendor "D-link" for product "Dns-325"
*-
Affected
D-link
Search vendor "D-link"
 Dns-340l
Search vendor "D-link" for product "Dns-340l"
*-
Affected
Dlink
Search vendor "Dlink"
 Dns-320 Firmware
Search vendor "Dlink" for product "Dns-320 Firmware"
*-
Affected
Dlink
Search vendor "Dlink"
 Dns-320lw Firmware
Search vendor "Dlink" for product "Dns-320lw Firmware"
*-
Affected
Dlink
Search vendor "Dlink"
 Dns-325 Firmware
Search vendor "Dlink" for product "Dns-325 Firmware"
*-
Affected
Dlink
Search vendor "Dlink"
 Dns-340l Firmware
Search vendor "Dlink" for product "Dns-340l Firmware"
*-
Affected