CVE-2024-10914

HIGH EXPLOITED NUCLEI

D-Link DNS-320, DNS-320LW, DNS-325, and DNS-340L - OS Command Injection via cgi_user_add name Parameter

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2024-10914 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 16 public exploits from researchers including verylazytech, imnotcha0s, ThemeHackers. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains functional exploit code for CVE-2024-10914, a command injection vulnerability in D-Link NAS devices. The exploit targets the `name` parameter in the `account_mgr.cgi` script, allowing remote command execution via crafted HTTP requests.

Description

A vulnerability was found in D-Link DNS-320, DNS-320LW, DNS-325 and DNS-340L up to 20241028. It has been declared as critical. Affected by this vulnerability is the function cgi_user_add of the file /cgi-bin/account_mgr.cgi?cmd=cgi_user_add. The manipulation of the argument name leads to os command injection. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used.

Exploits (16)

nomisec WORKING POC 47 stars
by verylazytech · remote
https://github.com/verylazytech/CVE-2024-10914

This repository contains functional exploit code for CVE-2024-10914, a command injection vulnerability in D-Link NAS devices. The exploit targets the `name` parameter in the `account_mgr.cgi` script, allowing remote command execution via crafted HTTP requests.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: D-Link DNS-320, DNS-320LW, DNS-325, DNS-340L (versions up to 20241028)
No auth needed
Prerequisites: Network access to the target device · Target device must be running a vulnerable version of the firmware
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 12 stars
by imnotcha0s · remote
https://github.com/imnotcha0s/CVE-2024-10914

The repository contains a functional exploit for CVE-2024-10914, demonstrating a command injection vulnerability in D-Link DNS devices. The exploit leverages a crafted HTTP request to execute arbitrary commands via the 'account_mgr.cgi' endpoint.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: D-Link DNS-320, DNS-320LW, DNS-325, DNS-340L (Versions 1.00, 1.01.0914.2012, 1.01, 1.02, 1.08)
No auth needed
Prerequisites: Network access to the target device · Target device must be running a vulnerable firmware version
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 9 stars
by ThemeHackers · remote
https://github.com/ThemeHackers/CVE-2024-10914

This repository contains a functional Python exploit for CVE-2024-10914, a remote code execution vulnerability in D-Link DNS devices. The exploit leverages command injection via the `/cgi-bin/account_mgr.cgi` endpoint to execute arbitrary commands and provides an interactive shell.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: D-Link DNS-320, DNS-320LW, DNS-325, DNS-340L (various firmware versions)
No auth needed
Prerequisites: Network access to the target device · Vulnerable D-Link device with exposed management interface
devstral-2 · analyzed Feb 18, 2026 Full analysis →
github WRITEUP 7 stars
by cybersecplayground · poc
https://github.com/cybersecplayground/PoC-and-CVE-Reports/tree/main/2024/CVE-2024-10914.md

The repository contains detailed technical writeups for multiple CVEs, including CVE-2024-10914 (command injection in account_mgr.cgi), CVE-2024-22024 (XXE in Ivanti Connect Secure), and others. Each writeup includes vulnerability descriptions, PoC examples, mitigation steps, and references.

Classification
Writeup 90%
Attack Type
Other
Complexity
Moderate
Reliability
Theoretical
Target: Multiple (account_mgr.cgi, Ivanti Connect Secure, Zabbix, Check Point VPN, Bricks Builder)
No auth needed
Prerequisites: Access to vulnerable endpoints · Basic understanding of HTTP requests and payload crafting
devstral-2 · analyzed Feb 27, 2026 Full analysis →
nomisec WORKING POC 4 stars
by K3ysTr0K3R · remote
https://github.com/K3ysTr0K3R/CVE-2024-10914-EXPLOIT

The repository contains a functional Python exploit for CVE-2024-10914, targeting D-Link NAS devices. It leverages command injection via the 'name' parameter in the 'cgi_user_add' function to achieve remote code execution (RCE).

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: D-Link DNS-320, DNS-320LW, DNS-325, DNS-340L
No auth needed
Prerequisites: Network access to the vulnerable D-Link NAS device
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 3 stars
by redspy-sec · remote
https://github.com/redspy-sec/D-Link

The repository contains a functional exploit for CVE-2024-10914, a command injection vulnerability in D-Link NAS devices. The exploit leverages the 'name' parameter in the '/cgi-bin/account_mgr.cgi' endpoint to execute arbitrary commands, confirmed by checking the response for user/group details.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: D-Link DNS-320, DNS-320LW, DNS-325, DNS-340L (up to 20241028)
No auth needed
Prerequisites: Network access to the target device · The target device must be running a vulnerable firmware version
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 1 stars
by TH-SecForge · remote
https://github.com/TH-SecForge/CVE-2024-10914

This repository contains a functional Python-based exploit for CVE-2024-10914, targeting a command injection vulnerability in D-Link DNS-320, DNS-320LW, DNS-325, and DNS-340L devices. The exploit leverages a vulnerable endpoint `/cgi-bin/account_mgr.cgi` to achieve remote code execution (RCE) by injecting arbitrary commands via the `name` parameter.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: D-Link DNS-320 (Firmware 1.00), DNS-320LW (Firmware 1.01.0914.2012), DNS-325 (Firmware 1.01, 1.02), DNS-340L (Firmware 1.08)
No auth needed
Prerequisites: Network access to the target device · Target device must be running a vulnerable firmware version · Port 80 (or specified port) must be accessible
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 1 stars
by yenyangmjaze · remote
https://github.com/yenyangmjaze/cve-2024-10914

This repository contains functional exploit code for CVE-2024-10914, a command injection vulnerability in D-Link NAS devices. The exploit targets the `name` parameter in the `account_mgr.cgi` script, allowing remote command execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: D-Link DNS-320, DNS-320LW, DNS-325, DNS-340L
No auth needed
Prerequisites: Network access to the target device · Target device must be running a vulnerable version of the firmware
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 1 stars
by Bu0uCat · remote
https://github.com/Bu0uCat/D-Link-NAS-CVE-2024-10914-

This repository contains a functional exploit PoC for CVE-2024-10914, a command injection vulnerability in D-Link NAS devices. The script sends a crafted HTTP request to execute arbitrary commands via the 'name' parameter in the 'account_mgr.cgi' endpoint.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: D-Link DNS-320, DNS-320LW, DNS-325, DNS-340L (versions up to 20241028)
No auth needed
Prerequisites: Network access to the target device · The CGI endpoint must be exposed
devstral-2 · analyzed Feb 18, 2026 Full analysis →
gitlab WORKING POC
by ThemeHackers · poc
https://gitlab.com/ThemeHackers/CVE-2024-10914

This repository contains a functional Python exploit for CVE-2024-10914, targeting a command injection vulnerability in D-Link DNS-320, DNS-320LW, DNS-325, and DNS-340L devices. The exploit leverages an insecure endpoint in the web interface to execute arbitrary commands via crafted HTTP requests.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: D-Link DNS-320 (Firmware 1.00), DNS-320LW (Firmware 1.01.0914.2012), DNS-325 (Firmware 1.01, 1.02), DNS-340L (Firmware 1.08)
No auth needed
Prerequisites: Network access to the target device · Target device must be running a vulnerable firmware version
devstral-2 · analyzed Feb 23, 2026 Full analysis →
nomisec WORKING POC
by 0xSS3K · remote
https://github.com/0xSS3K/CVE-2024-10914__POC

The repository contains a functional Python exploit for CVE-2024-10914, demonstrating command injection via the 'name' parameter in the '/cgi-bin/account_mgr.cgi' endpoint. The exploit sends a crafted payload to execute arbitrary commands on the target system.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Unknown (likely a web application with vulnerable CGI endpoint)
No auth needed
Prerequisites: Network access to the target endpoint · Python with 'requests' library
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WORKING POC
by Tamirido30 · poc
https://github.com/Tamirido30/CVE-2024-10914-Exploit

This repository contains a functional exploit for CVE-2024-10914, targeting a command injection vulnerability in a web application's CGI script. The exploit provides a shell-like interface for remote command execution, reverse shell capabilities, and file transfer functionalities.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Unknown (CGI script vulnerability)
No auth needed
Prerequisites: Network access to the target web application · Python environment with requests library
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by dragonXZH · remote
https://github.com/dragonXZH/CVE-2024-10914

This repository contains a functional Go-based exploit for CVE-2024-10914, demonstrating OS command injection in D-Link DNS-320, DNS-320LW, DNS-325, and DNS-340L devices via the 'name' parameter in the cgi_user_add function. The exploit includes verification and interactive shell capabilities.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: D-Link DNS-320 (1.00), DNS-320LW (1.01.0914.2012), DNS-325 (1.01, 1.02), DNS-340L (1.08)
No auth needed
Prerequisites: Network access to the target device · Target device must be running a vulnerable firmware version
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by jahithoque · remote
https://github.com/jahithoque/CVE-2024-10914-Exploit

The repository contains a functional exploit script for CVE-2024-10914, targeting a command injection vulnerability in D-Link DNS devices via the 'cgi_user_add' function in '/cgi-bin/account_mgr.cgi'. The script crafts a malicious URL with an injected command and sends it to the target using curl.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: D-Link DNS-320, DNS-320LW, DNS-325, DNS-340L (up to version 20241028)
No auth needed
Prerequisites: Target device must be accessible · Curl must be installed on the attacker's machine
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by retuci0 · remote
https://github.com/retuci0/cve-2024-10914-port

This repository contains functional exploit code for CVE-2024-10914, a command injection vulnerability in D-Link routers. The exploit leverages improper input sanitization in the `account_mgr.cgi` endpoint to achieve remote code execution via shell metacharacters.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: D-Link DNS-320, DNS-320LW, DNS-325, DNS-340L (various versions)
No auth needed
Prerequisites: Network access to the vulnerable device · HTTP endpoint exposed on the target
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WRITEUP
by Egi08 · remote
https://github.com/Egi08/CVE-2024-10914

This repository provides a detailed manual testing guide for exploiting CVE-2024-10914, a command injection vulnerability in D-Link NAS devices. It includes step-by-step instructions for using Burp Suite to test and exploit the vulnerability in the 'name' parameter of the account_mgr.cgi endpoint.

Classification
Writeup 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: D-Link NAS (DNS ShareCenter) with lighttpd/1.4.25-devel-fb150ff
No auth needed
Prerequisites: Burp Suite · Browser configured to use Burp Suite as a proxy
devstral-2 · analyzed Feb 18, 2026 Full analysis →

Nuclei Templates (1)

D-Link NAS - Command Injection via Name Parameter
CRITICALby s4e-io
Shodan: http.html:"sharecenter"
FOFA: body="sharecenter"

References (6)

Core 6
Core References
Permissions Required, Third Party Advisory vdb-entry technical-description
https://vuldb.com/?id.283309
Permissions Required signature permissions-required
https://vuldb.com/?ctiid.283309
Third Party Advisory third-party-advisory
https://vuldb.com/?submit.432847
Product product
https://www.dlink.com/

Scores

CVSS v3 8.1
EPSS 0.9743
EPSS Percentile 99.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact total

Details

VulnCheck KEV 2024-11-13
CWE
CWE-78 CWE-74 CWE-707
Status published
Products (4)
dlink/dns-320_firmware
dlink/dns-320lw_firmware
dlink/dns-325_firmware
dlink/dns-340l_firmware
Published Nov 06, 2024
Tracked Since Feb 18, 2026