CVE-2024-3273

What are D-Link DNS-Series NAS Devices?

D-Link DNS-series Network Attached Storage (NAS) devices are consumer and small-business file servers that allow multiple users to share files over a network. The DNS-320L, DNS-325, DNS-327L, and DNS-340L are multi-bay NAS appliances that were popular in home offices and small businesses for centralized file storage, media serving, and backup. These devices run embedded Linux firmware with web-based management interfaces exposed on the local network and, in many deployments, directly to the internet. Because they are often set-and-forgotten devices storing years of personal and business data, they are high-value targets for data theft and ransomware staging.

Overview

CVE-2024-3273 is a command injection vulnerability in the management interface of D-Link DNS-320L, DNS-325, DNS-327L, and DNS-340L NAS devices. When chained with CVE-2024-3272 — which exploits a hardcoded backdoor account (messagebus with an empty password) to authenticate without valid credentials — an attacker gains unauthenticated remote code execution on the affected NAS. D-Link confirmed all affected hardware revisions have reached end-of-life with no patches planned; CISA's recommended action is to retire and replace the devices.

Affected Versions

Technical Details

CWE-77 (Command Injection). The NAS management interface processes user-supplied parameters that are passed to system commands without adequate sanitization. By injecting shell metacharacters or command separators into the vulnerable parameter, an attacker can execute arbitrary OS commands in the context of the web server process (typically root on embedded Linux devices).

The complete unauthenticated exploitation chain:

1. CVE-2024-3272 — Authenticate to the NAS using the hardcoded messagebus account with an empty password. This account is present in all affected firmware versions and cannot be removed by the user.
2. CVE-2024-3273 — Once authenticated via the backdoor account, send a crafted request to the management interface that injects OS commands through an unsanitized parameter.
3. The injected commands execute as root on the NAS, giving the attacker full control of the device and all stored data.

The CVSS score of 7.3 (C:L/I:L/A:L) understates the practical impact because access to a NAS as root provides complete access to all stored files, not just low-impact data.

Discovery

Disclosed publicly in April 2024. D-Link's security announcement confirmed both the command injection and the hardcoded credential vulnerabilities, and stated that no firmware update would be produced because all affected models have reached end-of-life. The combination of an unauthenticated authentication bypass with a command injection is a particularly dangerous pairing.

Exploitation Context

End-of-life NAS devices with internet-facing management interfaces are routinely targeted by botnets and ransomware staging operations. These devices often remain online for years past their EOL date because owners don't realize the risk. Threat actors scan for vulnerable D-Link NAS models using Shodan and mass-exploit them to: exfiltrate years of stored files, use the device as a pivot point for attacks on the local network, or deploy cryptomining or botnet agent software. The mass-exploitation risk is amplified by the availability of public PoC code.

Remediation

1. Replace the device — D-Link will not issue a patch. Retire all affected DNS-320L, DNS-325, DNS-327L, and DNS-340L units and replace with supported NAS hardware.
2. If immediate replacement is not possible as an interim measure: disconnect the NAS from the internet by blocking all inbound connections at the router or firewall. Internal-only access is necessary until replacement.
3. Back up all data from the NAS before taking it offline — assume any internet-exposed device may already be compromised.
4. Check for unexpected processes, modified files, or unfamiliar scheduled tasks on the NAS before decommissioning it.