The flaw, with the catchy name CVE-2024-10914, allows unauthenticated attackers to execute arbitrary commands through unsanitised HTTP requests.

In its security bulletin, the company has advised users to retire or isolate the affected devices from public internet access.

The flaw impacts multiple models of D-Link NAS devices, commonly used by small businesses, including DNS-320 Version 1.00, DNS-320LW Version 1.01.0914.2012, DNS-325 Versions 1.01 and 1.02, and DNS-340L Version 1.08.

A search conducted by Netsecfish on the FOFA platform revealed 61,147 instances of vulnerable D-Link devices across 41,097 unique IP addresses.

In April this year, the same researcher uncovered another significant vulnerability in similar D-Link NAS models. This flaw, tracked as CVE-2024-3273, included an arbitrary command injection and a hardcoded backdoor, raising concerns about the security of these devices.

D-Link said that if retirement of the affected devices is not immediately feasible, they should be isolated from the public internet or placed under stricter access conditions to mitigate the risk.

To be fair, the faulty devices have been around since September 7, 2010, so even if there are still a lot of them out there they are will past their "best before" date.