A vulnerability in four old D-Link NAS models could be exploited to compromise internet-facing devices, a threat researcher has found.
The existence of the flaw was confirmed by D-Link last week, and an exploit for opening an interactive shell has popped up on GitHub.
“The vulnerability lies within the nas sharing.cgi uri, which is vulnerable due to two main issues: a backdoor facilitated by hardcoded credentials, and a command injection vulnerability via the system parameter,” says the discoverer, who goes by the online handle “Netsecfish”.
CVE-2024-3273 affects D-Link NAS models DNS-320L, DNS-325, DNS-327L, and DNS-340L, all of which have reached end-of-life many years ago.
“This exploit affects a legacy D-Link products and all hardware revisions, which have reached their End of Life/End of Service Life Life-Cycle. Products that have reached their EOL/EOS no longer receive device software updates and security patches and are no longer supported by D-Link,” the company said in the security advisory.
“D-Link US recommends that D-Link devices that have reached EOL/EOS be retired and replaced. If US consumers continue to use these devices against D-Link’s recommendation, please make sure the device has the last know firmware which can be located on the Legacy Website. Please make sure you frequently update the device’s unique password to access its web-configuration, and always have WIFI encryption enabled with a unique password.”
