D-Link NAS users are out of luck in the face of a severe vulnerability, as the company says it will not update end-of-life (EOL) devices.

According to the National Vulnerability Database, an issue “was found in D-Link DNS-320, DNS-320LW, DNS-325 and DNS-340L up to 20241028.” The vulnerability has been assigned a 9.2 severity score.

Affected by this vulnerability is the function cgi_user_add of the file /cgi-bin/account_mgr.cgi?cmd=cgi_user_add. The manipulation of the argument name leads to os command injection. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used.

Despite the severity of the vulnerability, D-Link says it will not address the issue on EOL devices.

This exploit affects legacy D-Link products and all hardware revisions that have reached their end-of-life (“EOL”)/end-of-service-life (“EOS”) Life Cycle. Products that have reached their EOL/EOS no longer receive device software updates and security patches and are no longer supported by D-Link.

D-Link US recommends retiring and replacing D-Link devices that have reached EOL/EOS. Please get in touch with your regional office for recommendations (LINK).

Regardless of product type or sales channel, D-Link’s general policy is that when products reach EOS/EOL, they can no longer be supported, and all firmware development ceases for them.

The list of impacted devices is below:

While companies are under no obligation to continue to support EOL products, it’s not uncommon in special circumstances—such as a 9.2 severity vulnerability—for companies to go above and beyond to fix such vulnerabilities.

Unfortunately for D-Link NAS users, the company does not appear to be prepared to go above and beyond.