More than 92,000 outdated internet-exposed D-Link Network Attached Storage devices could be breached in attacks exploiting a newly discovered arbitrary command injection and hardcoded backdoor vulnerability, tracked as CVE-2024-3273, which could result in sensitive data access, system configuration modifications, and denial-of-service conditions, reports Security Affairs.
Such a flaw was discovered by cybersecurity researcher Netsecfish within the nas_sharing.cgi script, which was found to contain a hardware credential-enabled backdoor that allowed authentication bypass, as well as system parameter-enabled command injection. No updates to remediate the flaw are expected for the impacted D-Link NAS models — including DNS-320L Version 1.11, Version 1.03.0904.2013, Version 1.01.0702.2013; DNS-325 Version 1.01; DNS-327L Version 1.09, Version 1.00.0409.2013; and DNS-340L Version 1.08 — all of which have already reached end-of-life.
Organizations leveraging the vulnerable NAS devices have been urged to not only immediately replace their devices but also ensure that their new devices are not connected to the internet to avert cybersecurity threats.
