Security News > 2024 > April > Over 92,000 exposed D-Link NAS devices have a backdoor account
A threat researcher has disclosed a new arbitrary command injection and hardcoded backdoor flaw in multiple end-of-life D-Link Network Attached Storage device models.
The two main issues contributing to the flaw, tracked as CVE-2024-3273, are a backdoor facilitated through a hardcoded account and a command injection problem via the "System" parameter.
Netsecfish says network scans show over 92,000 vulnerable D-Link NAS devices exposed online and susceptible to attacks through these flaws.
After contacting D-Link about the flaw and whether a patch would be released, the vendor told us that these NAS devices had reached the end of life and are no longer supported.
NAS devices should never be exposed to the internet as they are commonly targeted to steal data or encrypt in ransomware attacks.
QNAP warns of critical auth bypass flaw in its NAS devices.
News URL
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2024-04-04 | CVE-2024-3273 | Command Injection vulnerability in Dlink products ** UNSUPPORTED WHEN ASSIGNED ** A vulnerability, which was classified as critical, was found in D-Link DNS-320L, DNS-325, DNS-327L and DNS-340L up to 20240403. | 9.8 |