June 8, 2026
CVE-2024–10914 D-Link NAS: Unauthenticated Command Injection → Root Shell
1. Overview
Dharanis
2 min read
CVE-2024–10914 is a critical unauthenticated OS command injection vulnerability in multiple D-Link NAS devices, disclosed in November 2024 by security researcher NetSecFish. Any attacker on the network — or on the open internet if the device is port-forwarded — can execute arbitrary OS commands as root without providing any credentials.
The vulnerability lives in account_mgr.cgi, which handles user account management on the device. The name parameter passed to cgi_user_add is taken directly from the HTTP request and fed into a shell command with zero sanitization. An attacker injects shell metacharacters to break out of the intended command and execute anything they want as root.
Why this is catastrophic: A NAS holds the most sensitive files in an organization — financial records, client data, credentials, backups. CVE-2024–10914 delivers root access with a single unauthenticated HTTP request. Every file on every connected drive is immediately reachable.
- Affected Devices
▲ D-Link DNS-320 ShareCenter — one of four permanently unpatched devices affected by CVE-2024–10914
All devices are permanently end-of-life. D-Link's own security advisory explicitly recommends replacing the hardware. No patch will ever ship.
. Background
3.1 Why Attacking a NAS is Different
▲ NAS ransomware attack path — CVE-2024–10914 provides the same level of access as a full ransomware compromise, instantly and without credentials
A NAS (Network Attached Storage) is a hard drive with its own embedded web server connected to an entire network. Small businesses use D-Link NAS devices to centralize shared documents, databases, backups, and client files. Unlike attacking a single workstation or web server, owning a NAS means owning everything the organization has ever stored digitally.
CVE-2024–10914 gives root — meaning the attacker can read, modify, delete, encrypt, or exfiltrate every single file on every connected drive.
3.2 What is Command Injection (CWE-77)?
Command injection happens when user-supplied input is passed directly into a system shell command without sanitization. The attacker inserts shell metacharacters (', backticks, ;, |) to terminate the intended command and start a new one of their choosing. It is fundamentally an input validation failure — and one of the most impactful classes of web vulnerabilities.
- Exploitation
4.1 Running the Exploit
The exploit script takes one argument — the target URL with the -u flag. Everything else is automated:
bash cve-2024–10914.sh -u http://79.189.72.25:88
- Output
- Post-Exploitation
Once uid=0(root) is confirmed, here is what the attacker can do from the Shell$:
- Remediation
▶ REPLACE THE DEVICE — D-Link's own recommendation. These devices will never be patched. Any DNS-320/320LW/325/340L connected to the internet is permanently exploitable.
▶ Disconnect immediately — remove any port forwarding to the device from the internet facing router
▶ Isolate on a separate VLAN — prevent lateral movement to other network devices if the NAS is already compromised
▶ Block ports 80, 88, 443, 8080, 8443 at the firewall for this device's IP
- References
▶ PoC Tool: https://github.com/verylazytech/CVE-2024-10914
▶ Disclosed: November 2024 — CVSS 9.2 Critical — No patch — Active exploitation confirmed
▶ D-Link Advisory (SAP10413): https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10413
▶ NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-10914
▶ SecurityWeek: https://www.securityweek.com/d-link-warns-of-rce-vulnerability-in-legacy routers