A high-severity vulnerability was recently discovered in certain D-Link Network Attached Storage (NAS) instances that could be used to execute malicious code, steal sensitive data, and conduct Denial-of-Service (DoS) attacks .
Cybersecurity researcher Netsecfish, who discovered the flaw, found that multiple instances of D-Link’s NAS devices contain a random command injection flaw in the “system” parameter, and a hardcoded account that can be used to access the device . As a result, hackers can execute commands as they please:
“Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands on the system, potentially leading to unauthorized access to sensitive information, modification of system configurations, or denial of service conditions,” the researcher said.
No plaster
The vulnerability is tracked as CVE-2024-3273. Apparently there are approximately 92,000 of these D-Link NAS devices in use today, meaning the attack surface is relatively large.
This concerns several models, including: DNS-320L version 1.11, version 1.03.0904.2013, version 1.01.0702.2013; DNS-325 version 1.01; DNS-327L version 1.09, version 1.00.0409.2013; and DNS-340L version 1.08.
Unfortunately the patch is not coming. D-Link has confirmed these devices BleepingComputer, are well past the end of their lifespan and as such will not be resolved. The company released a security bulletin urging its customers to replace the devices with newer versions as soon as possible.
“All D-Link Network Attached storage has been End of Life and of Service Life for many years (and) the resources associated with these products are no longer developed and are no longer supported,” the spokesperson told the publication. “D-Link recommends that these products be retired and replaced with products that receive firmware updates.”
Even those who receive firmware updates should never be exposed to the Internet, as cybercriminals consider them high-value targets.