## https://sploitus.com/exploit?id=E1AAC22D-15F2-5C30-97AF-9F18690CA25F
# CVE-2024-10914 - D-Link Remote Code Execution (RCE)
This repo contains a proof-of-concept (PoC) exploit for a critical vulnerability affecting D-Link NAS devices. The bug, tracked as **CVE-2024-10914**, impacts the following models:
- **D-Link DNS-320**
- **D-Link DNS-320LW**
- **D-Link DNS-325**
- **D-Link DNS-340L**
The vulnerability is in a function called `cgi_user_add`, which is part of the `/cgi-bin/account_mgr.cgi` script.
The bug happens because the `name` parameter isn't properly checked before itโs used in system commands.
This lets an attacker send malicious input (OS commands) in the `name` field to execute anything they want on the device.
For example an attacker can send/execute an `id` command through the path of the `name` field `/cgi-bin/account_mgr.cgi?cmd=cgi_user_add&name=%27;id;%27`
# Disclaimer
This PoC is only for testing and learning purposes. Iโm not responsible for any illegal or harmful use of this code. Always act responsibly when researching or testing vulnerabilities.