D-Link NAS Command Injection Vulnerability Influence On 92k Devices

A brand-new command injection vulnerability and a backdoor account have been identified in D-Link Network Attached Storage devices. It affected D-Link NAS devices such as DNS-340L, DNS-320L, DNS-327L, and DNS-325.

This is found in these devices' nas_sharing.cgi file. The interesting part is that the system parameter has a command injection vulnerability (CVE-2024-3273). In total, these vulnerabilities affect roughly 92,000 D-Link NAS machines that are open to the internet.

Generally speaking, D-Link has provided fixes for these vulnerabilities. Customers are recommended to apply them as soon as feasible.

Key Details Related To Vulnerability

According to the findings, if these vulnerabilities are exploited, a threat actor might execute arbitrary commands on the vulnerable device. Later on, it will gain access to confidential data.

A threat actor might also change the system settings. Furthermore, it causes a denial of service and enters a command in the command parameter. The nas_sharing.cgi script is a CGI (Common Gateway Interface) script with a hardcoded account. To be honest, it may be exploited as a backdoor by exposing usernames and passwords.

The exploitation is straightforward. Apart from this, the parameter request has a username (user=messagebus) and an empty password (passwd=). This might provide threat actors improper access. For this, there is no requirement for any adequate authentication.

Additionally, the System parameter may be used for command injection. Besides, it will encode a base64-encoded value into a command. Ultimately, Authentication is highly required for this.


To attack this vulnerability.cgi endpoint, a threat actor can create a malicious HTTP request. The interesting thing is that it targets the /cgi-bin/nas_sharing path. One important thing to keep in mind is that the answer to this HTTP request contains the decrypted system parameter value. This value is included in the request itself.

Affected Products

Here is a list of products that have already been affected by the

  • DNS-320L Version 1.11, Version 1.03.0904.2013, Version 1.01.0702.2013
  • DNS-325 Version 1.01
  • DNS-327L Version 1.09, Version 1.00.0409.2013
  • DNS-340L Version 1.08

It is suggested that users of these products update to the most recent versions. It is all because of avoiding threat actors from exploiting these vulnerabilities.