Over 90,000 D-Link NAS Devices Are Under Attack

Written by

Network attached storage (NAS) vendor D-Link has urged users of end-of-life (EOL) products to retire and replace them, after news emerged of mass exploitation of legacy kit via a newly discovered vulnerability.

Security researcher “netsecfish” published details of the vulnerability, which affects various D-Link NAS devices, on March 26.

“The vulnerability lies within the nas_sharing.cgi uri, which is vulnerable due to two main issues: a backdoor facilitated by hardcoded credentials, and a command injection vulnerability via the system parameter,” they explained.

“This exploitation could lead to arbitrary command execution on the affected D-Link NAS devices, granting attackers potential access to sensitive information, system configuration alteration, or denial of service, by specifying a command, affecting over 92,000 devices on the internet.”

Read more on NAS threats: Deadbolt Ransomware Extorts Vendors and Customers

Now described as CVE-2024-3273, the high-severity vulnerability has been assigned a CVSS score of 7.3.

D-Link confirmed in an advisory that the following EOL models are exposed to exploitation of the vulnerability as they are no longer receiving firmware updates: DNS-340L, DNS-320L, DNS-327L and DNS-325.

“D-Link strongly recommends that this product be retired and cautions that any further use of this product may be a risk to devices connected to it. If US consumers continue to use these devices against D-Link’s recommendation, please make sure the device has the last known firmware which can be located on the Legacy Website links above,” it added.

“Please make sure you frequently update the device’s unique password to access its web-configuration, and always have Wi-Fi encryption enabled with a unique password.”

Non-profit threat research organization the ShadowServer Foundation confirmed that threat actors are now actively targeting vulnerable NAS devices.

“We have started to see scans/exploits from multiple IPs for CVE-2024-3273 (vulnerability in end-of-life D-Link Network Area Storage devices). This involves chaining of a backdoor & command injection to achieve RCE,” it said in a post on X (formerly Twitter).

“Exploit & PoC details are public. As there is no patch for this vulnerability, these devices should be taken offline/replaced or at least have their remote access firewalled.”

NAS devices are a popular target for botnet herders and ransomware actors as they are often managed by home users, which can mean they’re less well-protected than enterprise systems.

Image credit: JHVEPhoto / Shutterstock.com

What’s hot on Infosecurity Magazine?