CVE-2024-3272

What is D-Link NAS?

D-Link DNS-320L, DNS-325, DNS-327L, and DNS-340L are network-attached storage (NAS) devices that provide shared file storage, media streaming, and backup services over a local or internet-accessible network connection. These consumer and small-business NAS devices are widely deployed in home offices, small businesses, and some enterprise environments. All affected models have reached end-of-life and will not receive security patches from D-Link. NAS devices storing sensitive organizational data or accessible from the internet without segmentation represent a particularly high-value target.

Overview

CVE-2024-3272 is a hard-coded credential vulnerability in multiple D-Link NAS devices — a backdoor account (messagebus with an empty password) that allows unauthenticated remote login via the device's web management interface. When combined with CVE-2024-3273 (an OS command injection vulnerability in the same devices, added to the CISA KEV catalog the same day), the hard-coded credential provides the authentication required to exploit the command injection, enabling full unauthenticated remote code execution on the device. D-Link confirmed the affected models are end-of-life and will not issue firmware patches; CISA's guidance is to retire and replace the devices.

Affected Versions

No firmware update will be released. Replacement is the only remediation.

Technical Details

CWE-798 (Use of Hard-Coded Credentials). The affected D-Link NAS firmware contains a built-in messagebus account with a blank (empty string) password. This account is authenticated via the NAS web management interface and has sufficient privileges to invoke CGI endpoints. Combined with CVE-2024-3273:

1. CVE-2024-3272 — messagebus: (empty password) authenticates to the web management interface without any credentials.
2. CVE-2024-3273 (OS command injection in the nas_sharing.cgi endpoint via the system parameter) — the authenticated CGI endpoint passes user-supplied input to a shell command, enabling arbitrary OS command execution.

The combined chain produces unauthenticated root-level remote code execution on any internet-accessible affected NAS device.

Discovery

Discovered by security researchers and reported to D-Link. D-Link confirmed the affected devices are end-of-life and no patch will be developed.

Exploitation Context

Active exploitation was confirmed, prompting CISA KEV addition on April 11, 2024. Exploitation by Mirai-based botnet operators is the primary documented campaign: D-Link NAS devices are systematically targeted by botnets that scan for known default credentials and command injection endpoints to recruit devices as DDoS slaves. Internet-accessible NAS devices also represent a risk for data exfiltration — shared network storage may contain sensitive business documents, backups, and personal files. The end-of-life status means the exposure is permanent for any organization that retains and connects these devices.

Remediation

1. Retire and replace all affected D-Link NAS devices (DNS-320L, DNS-325, DNS-327L, DNS-340L) — no firmware patch will be issued.
2. If immediate replacement is not possible, immediately disconnect affected devices from all internet access. Place them behind a firewall with no inbound internet connections to the management interface or NAS ports.
3. Migrate data to a supported NAS platform with active security patching before decommissioning.
4. Audit all D-Link NAS devices in the environment for end-of-life status; apply the same isolation-then-replace approach to any models no longer receiving firmware updates.