Dynamic Application Security TestingCVE-2024-3273 D-Link NAS Remote Code Execution
Description
CVE-2024-3273 is a critical vulnerability that affects certain end-of-life (EOL) D-Link Network-Attached Storage (NAS) devices (D-Link DNS-320L, DNS-325, DNS-327L and DNS-340L up to 20240403). It's a command injection vulnerability that allows remote attackers to execute arbitrary commands on vulnerable devices via a crafted HTTP request. This could lead to unauthorized access, data theft, system modifications, and denial of service attacks.
Outbreak Alert
Multiple D-link device vulnerabilities are being actively targeted. Many of the Routers and NAS devices are end-of-life (EOL) D-Link devices that do not have any patches available.
References
Version Updates
| Date | Version | Status | Detail |
|---|---|---|---|
| 2024-10-17 | 24.20000 |
New
|
D-Link Network-Attached Storage devices (DNS-320L, DNS-325, DNS-327L and DNS-340L) are vulnerable to command injection, allowing attackers to execute arbitrary commands on the devices. |
| ID | 88 |
| CVE ID | |
| Category | web |
| Sub Category | dlink |
| Date | Sep 18, 2024 |
| Risk |
|
| Tags | D-link Multiple Devices Attack |
| Alias | command injection |
| Type | OWASP injection |
| CVSS | 9.8 |
| Author |
Rakesh Mali |