Over 92,000 D-Link NAS Devices Vulnerable to Backdoor Exploitation

April 6, 2024

A security researcher known as 'Netsecfish' has revealed a new security vulnerability in multiple discontinued models of D-Link Network Attached Storage (NAS) devices. The flaw, identified as CVE-2024-3273, involves a hardcoded backdoor account (with username 'messagebus' and no password) and an arbitrary command injection issue via the 'system' parameter. When combined, these vulnerabilities could allow a cybercriminal to remotely execute commands on the device.

The command injection flaw originates from the addition of a base64-encoded command to the 'system' parameter through an HTTP GET request, which is subsequently executed. 'Netsecfish' warns, 'Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands on the system, potentially leading to unauthorized access to sensitive information, modification of system configurations, or denial of service conditions.'

The NAS device models affected by CVE-2024-3273 are not specified in the original article. However, according to network scans, over 92,000 such devices are exposed online and vulnerable to attacks via these flaws.

Upon reaching out to D-Link about the vulnerability and the possibility of a patch release, the company responded that these NAS devices have reached their end of life (EOL) and are no longer supported. A spokesperson stated, 'All D-Link Network Attached storage has been End of Life and of Service Life for many years [and] the resources associated with these products have ceased their development and are no longer supported.' D-Link recommends that users retire these products and replace them with devices that receive firmware updates.

The affected devices lack automatic online updating capabilities or customer outreach features to deliver notifications, unlike current models. Therefore, D-Link has limited its response to publishing a security bulletin to raise awareness about the flaw and the need to immediately retire or replace the affected devices. D-Link has also established a dedicated support page for legacy devices, where device owners can find the most recent security and firmware updates.

Despite these devices reaching their end of life, users who continue to use outdated hardware should apply the latest available updates, even though these will not address newly discovered issues such as CVE-2024-3273. Additionally, it is advised that NAS devices should not be exposed to the internet as they are frequently targeted for data theft or ransomware attacks.

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.