Critical D-Link NAS Vulnerability Leaves Thousands Exposed
December 4, 2024
According to an article by Sead Fadilpašić in TechRadar, a critical security flaw rated 9.2 out of 10 has been discovered in D-Link NAS (Network Attached Storage) devices. This vulnerability, tracked as CVE-2024-10914, allows attackers to execute unauthorized commands, potentially giving them full control over the system.
D-Link’s decision not to patch these devices places the responsibility on users to secure their data. Often used to store and share sensitive information in homes and businesses, NAS systems are particularly attractive targets for cyberattacks.
Despite the severity of the issue, D-Link has announced it will not release a fix because the affected devices have reached their end-of-life (EOL) and are no longer supported.
Cybercriminals are already exploiting this vulnerability using readily available code. Researchers from Shadowserver have observed attack attempts since November 12. More than 60,000 vulnerable devices have been identified globally, with over 1,100 attacks reported so far.
The vulnerability specifically targets the “/cgi-bin/account_mgr.cgi” endpoint, enabling command injection attacks. While exploiting the flaw is technically complex, the fact that these devices are outdated and unsupported makes them easy targets.
For companies using an affected D-Link NAS device, experts recommend replacing it immediately with a newer, supported model. Leaving these devices connected to the internet significantly increases the risk of a data breach.
This incident highlights the risks of using outdated technology, especially for organizations like law firms that handle sensitive client data. To reduce the risk of a breach:
- Avoid using unsupported or EOL systems for critical data.
- Implement strict patch management policies to keep all devices up to date.
- Establish redundancy and backup systems to ensure data integrity and availability.
Proactively managing technology lifecycles is essential to maintaining data security in today’s threat landscape.
Critical intelligence for general counsel
Stay on top of the latest news, solutions and best practices by reading Daily Updates from Today's General Counsel.
Daily Updates
Sign up for our free daily newsletter for the latest news and business legal developments.