D-Link on Friday warned that multiple discontinued NAS models are affected by a critical-severity command injection vulnerability for which exploit code has been published.

The issue, tracked as CVE-2024-10914 (CVSS score of 9.2), impacts the account management functionality of the affected devices.

Because the name parameter is not properly sanitized when adding a new user, an unauthenticated attacker could supply crafted HTTP GET requests to inject arbitrary shell commands.

According to security researcher Netsecfish, an attacker can exploit the vulnerability by sending “a crafted HTTP GET request to the NAS device with malicious input in the name parameter”.

“The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used,” a NIST advisory reads.

The security defect, Netsecfish says, impacts D-Link DNS-320, DNS-320LW, DNS-325, and DNS-340L NAS models. The researcher warns that more than 61,000 vulnerable devices can be accessed from the internet.

D-Link, however, warns that 16 other discontinued NAS models are affected and that it cannot address the vulnerability, as all development and customer support have ceased. Some of these devices were retired a decade ago.

“This exploit affects legacy D-Link products and all hardware revisions that have reached their end-of-life (‘EOL’)/end-of-service-life (‘EOS’) life cycle. Products that have reached their EOL/EOS no longer receive device software updates and security patches and are no longer supported by D-Link,” the company notes in its advisory.

D-Link recommends that its customers retire these products and migrate to supported ones.

US customers who continue to use these devices despite D-Link’s recommendations should ensure they run the latest firmware, the company says.

Users outside the US, however, may use third-party firmware that is available for many of the affected devices, D-Link notes, warning that it does not support such firmware and that installing it voids warranty.

Related: Organizations Warned of Exploited SAP, Gpac and D-Link Vulnerabilities

Related: New Vulnerabilities Expose Hundreds of Thousands of DrayTek Routers to Hacking

Related: Critical Vulnerabilities Expose MoFi Routers to Remote Attacks

Related: Vulnerabilities Allow Hackers to Disrupt, Hijack Schneider PowerLogic Devices