Olly42, Critical Flaws Leave 92,000 D-Link NAS Devices Vulnerable to Malware Attacks.
Over 92,000 end-of-life D-Link Network Attached Storage Devices exposed online and unpatched against a critical remote code execution (RCE) zero-day flaw.
D-Link NAS devices including models DNS-340L, DNS-320L, DNS-327L and DNS-325.
CVE-2024-3272 (CVSS score: 9.8)
CVE-2024-3273 (CVSS score: 7.3)https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10383
#dlink #nas #sec #tech #engineer #news
The command injection flaw arises from adding a base64-encoded command to the "system" parameter via an HTTP GET request, which is then executed. (Example of the malicious request)
[Netsecfish’s network scans show over 92,000 vulnerable D-Link NAS devices exposed online and susceptible to attacks through these flaws. (Netsecfish|GitHub) https://github.com/netsecfish/dlink?tab=readme-ov-file](https://nerdculture.de/system/media_attachments/files/112/246/741/459/654/058/original/0c8cb578783e16d7.png)