An unpatched vulnerability that could affect many D-Link network-attached storage (NAS) devices is apparently being exploited in the wild.
The vulnerability, tracked as CVE-2024-3273, was disclosed recently — along with a proof-of-concept (PoC) exploit — by an individual who uses the online moniker ‘NetworkSecurityFish’.
According to an advisory published by this individual on GitHub, the flaw impacts DNS-340L, DNS-320L, DNS-327L, and DNS-325, among other, unspecified models. While there is only one CVE identifier, there are two issues: hardcoded credentials that allow remote access to the device’s web management interface, and a command injection bug.
Chained together, these weaknesses allow an unauthenticated attacker to execute arbitrary commands on a device, enabling them to gain access to information, change system configuration, or cause a DoS condition, NetworkSecurityFish said.
D-Link has published an advisory confirming that the four models named by NetworkSecurityFish are impacted, but did not name others that could be affected. The company is urging customers to stop using impacted devices since they have reached end of life (EOL) several years ago and will not receive patches.
A few days after D-Link published its advisory, the cybersecurity industry started seeing attempts to exploit CVE-2024-3273.
Threat intelligence company GreyNoise is tracking exploitation attempts and to date it has seen attacks coming from a single IP address.
The Shadowserver Foundation on Monday reported seeing “scans/exploits from multiple IPs”.
It’s possible that some of the scans are conducted by cybersecurity companies or independent researchers, but malicious exploitation attempts are also likely occurring considering that it’s not uncommon for threat actors to target D-Link devices.
The US cybersecurity agency CISA is currently aware of 16 D-Link product vulnerabilities that have been exploited in the wild. NAS devices in general are often targeted in malicious attacks.
NetworkSecurityFish has published a screenshot of a search conducted using the FOFA search engine, which appears to show 92,000 results for what he claims to be affected D-Link NAS devices. It’s unclear if the search accurately shows the number of impacted devices.
Shadowserver, for instance, shows only a few thousand internet-exposed devices that match the D-Link NAS models that are specifically named by the researcher and the vendor.
Related: D-Link Says Hacker Exaggerated Data Breach Claims
Related: Western Digital, Synology NAS Vulnerabilities Exposed Millions of Users’ Files
Related: 30k Internet-Exposed QNAP NAS Devices Affected by Recent Vulnerability
