Critical Flaw in D-Link NAS Devices Under Active Exploitation

Written by Mitchell Langley

April 14, 2024

Critical Flaw in D-Link NAS Devices Under Active Exploitation

A Critical Flaw in D-Link NAS Devices is Under Active Exploitation in Over 92,000 Devices leaving them Vulnerable to Remote Code Execution. No patch is available yet!

Security researchers have reported that a critical remote code execution (RCE) vulnerability present in tens of thousands of D-Link Network Attached Storage (NAS) devices is now being actively exploited in attacks.

Critical Flaw in D-Link NAS Allows Arbitrary Command Execution

Discovered by researcher Netsecfish, the Critical Flaw in D-Link NAS (CVE-2024-3273) stems from a hard-coded backdoor account with blank credentials and the ability to execute arbitrary commands via command injection in the “system” parameter.

Threat actors are chaining the backdoor access and RCE bug to deploy variants of the infamous Mirai botnet malware, likely with the goal of incorporating infected devices into large scale DDoS botnets.

“The described vulnerability affects multiple D-Link NAS devices, including models DNS-340L, DNS-320L, DNS-327L, and DNS-325, among others,”

“Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands on the system, potentially leading to unauthorized access to sensitive information, modification of system configurations, or denial of service conditions.”

Netsecfish explains.

Affected Devices and Models

The vulnerability impacts multiple D-Link NAS models, including but not limited to:

ModelEnd of Service Life
DNS-320L   05/31/2020
DNS-340L   07/31/2019

Over 92,000 devices with these models were found to still be exposed online and vulnerable to exploitation.

No Patch Available Yet!

While initially stating it would not patch the critical flaw due to the devices’ end-of-life status, D-Link later notified owners to immediately discontinue use and replace vulnerable systems. However, patches are still not available.

According to the spokesperson, the NAS devices affected by these ongoing attacks lack automatic online updating or alert delivery mechanisms. As a result, it has become impossible to notify the owners about the attacks.

Following the disclosure, D-Link took action and issued a security advisory on Thursday. The advisory aims to inform owners about the security vulnerability and strongly advises them to retire or replace the affected devices as soon as possible.

To assist owners of legacy devices, D-Link has created a support page. However, it is important to note that applying the latest security and firmware updates through the legacy support website may not offer complete protection against attackers.

With active attacks underway, the lack of an available patch from D-Link leaves thousands of devices at risk of compromise. Until patched, discontinuing exposed vulnerable systems remains the only mitigation.

Related Articles

Stay Up to Date With The Latest News & Updates

Join Our Newsletter


Subscribe To Our Newsletter

Sign up to our weekly newsletter summarizing everything thats happened in data security, storage, and backup and disaster recovery

You have Successfully Subscribed!