Share
## https://sploitus.com/exploit?id=E1AAC22D-15F2-5C30-97AF-9F18690CA25F
# CVE-2024-10914 - D-Link Remote Code Execution (RCE)

This repo contains a proof-of-concept (PoC) exploit for a critical vulnerability affecting D-Link NAS devices. The bug, tracked as **CVE-2024-10914**, impacts the following models:  

- **D-Link DNS-320**  
- **D-Link DNS-320LW**  
- **D-Link DNS-325**  
- **D-Link DNS-340L**  

The vulnerability is in a function called `cgi_user_add`, which is part of the `/cgi-bin/account_mgr.cgi` script.  
The bug happens because the `name` parameter isn't properly checked before itโ€™s used in system commands.  
This lets an attacker send malicious input (OS commands) in the `name` field to execute anything they want on the device.
For example an attacker can send/execute an `id` command through the path of the `name` field `/cgi-bin/account_mgr.cgi?cmd=cgi_user_add&name=%27;id;%27`

# Disclaimer
This PoC is only for testing and learning purposes. Iโ€™m not responsible for any illegal or harmful use of this code. Always act responsibly when researching or testing vulnerabilities.