D-Link announces it will not fix a serious security vulnerability affecting 60,000 older NAS devices.

A critical vulnerability has been discovered in several models of D-Link's network-attached storage (NAS) devices. Since these devices have reached the end of their life cycle, the company has stated that no updates will be made to address this flaw.

The vulnerability, classified with a severity score of 9.2, is known as CVE-2024-10914 and manifests as a command injection exploit. This allows attackers to send arbitrary shell commands to the device through a specially crafted HTTP GET request, which could result in significant remote system compromise.

Although experts warn that exploiting this vulnerability is complicated due to the high complexity of the attack, they noted that a public exploit is available. In total, there are more than 60,000 devices vulnerable to this flaw, including several models like DNS-320, DNS-325, and DNS-340L, many of which are used by small and medium-sized businesses.

Given the inability to apply a patch, D-Link recommends that users replace their old devices with newer, supported models. For those who cannot do so immediately, it is advised to isolate the internet endpoints and establish more restrictive access conditions.

NAS devices are dedicated data storage units that connect to a network, allowing multiple users to access and store data centrally. These solutions are ideal for securely sharing files, performing backups, and providing storage in both home and business environments. Because they often contain sensitive information, such as personal documents and financial data, NAS devices are an attractive target for cybercriminals, who can steal, encrypt, or delete valuable data, with ransomware being a common threat.