D-link NAS devices exposed to CVE-2024-3272 & CVE-2024-3273 vulnerabilities 

Home » Blog » D-link NAS devices exposed to CVE-2024-3272 & CVE-2024-3273 vulnerabilities 

D-link NAS devices exposed to CVE-2024-3272 & CVE-2024-3273 vulnerabilities 

D-Link’s Network Attached Storage devices are exposed to a security flaw that threat actors are actively exploiting to steal sensitive data and orchestrate malware attacks.  

The vulnerabilities are currently labeled and tracked as CVE-2024-3272 with a CVSS score of 9.8 (critical) and CVE-2024-3273 with a CVSS score of 7.3 (high). 

Impacted products 

These vulnerabilities are affecting over 92000 D-Link’s NAS devices. NAS devices or Network Attached Storage devices act as a centralized storage device connected to a network, which other machines on the network can connect to read and write data. These systems act as a convenient and reliable system over actual systems connected over a local network. NAS devices are independent devices with their processing capabilities and operating systems. 

The vulnerabilities are impacting devices with End-of-Life (EOL) status. 

The impacted models of D-Link NAS devices that are being exposed to the said vulnerabilities include DNS-320L, DNS-325L, DNS 327L, and DNS 340L 

About the vulnerabilities 

Experts have warned that upon effective exploitation of the vulnerabilities, attackers can execute a well-orchestrated botnet malware attack to remotely control the impacted devices.  

They could engage in arbitrary execution of commands, alter system configurations, and leverage compromised devices to orchestrate Denial of Service (DoS) attacks. Some cybersecurity experts have observed instances of Mirai Botnet Malware being delivered via exploitation of the vulnerabilities. The following are the vulnerabilities that are being exploited: 

CVE-2024-3272 (CVSS 9.8) 

It is a vulnerability that has created a backdoor account that is enabled by an attacker by hardcoding credentials into the firmware. 

CVE-2024-3273 (CVSS 7.3) 

It is a vulnerability that was found in DNS-320L, DNS-325, DNS-327L and DNS-340L. It was discovered recently with Proof of Concept of the exploit available. It allows remote access to the web management interface and enables an attacker to remotely execute commands.  

Upon exploitation, the attacker can launch a full-fledged remote attack. The vulnerability can easily be remotely activated using an HTTP GET request that can be used to control exposed devices.  

SharkStriker’s action and recommendations

The following are the recommendations given and actions implemented by SharkStriker for their customers and partners: 

  • We recommend users of legacy devices update their devices to the latest firmware from the D-Link site. (Note: products that have reached End of Life (EoL) will no longer be receiving device software updates)  
  • For proactive aversion of threats relating to the exploitation of these vulnerabilities, it is advised to replace hardware as soon as the device has reached the end-of-life status 
  • SharkStriker’s threat experts are continuously monitoring customers’ environments for IoCs or IoAs 
  • SharkStriker’s threat experts are continuously scanning the environment for vulnerabilities 
  • Customers can check the status of their posture through STRIEGO’s dashboards 


Experience end-to-end management
of statutory and regulatory compliance
through our dedicated service for compliance

Explore More >

Latest Post