Threat Research

Active Exploitation of Critical D-Link NAS Vulnerability

Cyble

Cyble observed active exploitation of two D-Link NAS vulnerabilities (CVE-2024-3272 and CVE-2024-3273) that target the nas_sharing.cgi endpoint and enable credential disclosure and remote command execution. Public exploit code was posted on GitHub and a Russian cybercrime forum, and scanning/exploitation attempts were detected from April 9 against tens of thousands of internet-exposed devices. #D-Link #CVE-2024-3273 #CVE-2024-3272

Keypoints

  • CVE-2024-3272 exposes hard-coded credentials by manipulating the ‘user’ parameter (input ‘messagebus’).
  • CVE-2024-3273 is a command injection vulnerability via the ‘system’ parameter, allowing arbitrary command execution.
  • Public exploit code was published on GitHub (netsecfish) and shared on a Russian cybercrime forum demonstrating root (UID 0) access.
  • Cyble Global Sensor Intelligence detected active exploitation attempts beginning April 9, with many attacks originating from IPs in China.
  • Approximately 94,446 D-Link NAS devices were observed exposed on the internet, including DNS-320L, DNS-325, DNS-327L, and DNS-340L (firmware up to 20240403).
  • Multiple IP addresses were recorded attempting exploitation; Cyble published a list of observed source IPs as IOCs.
  • D-Link recommends retiring affected EOL/EOS products and replacing them with supported devices that receive firmware updates.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – Attackers sent crafted HTTP requests to a vulnerable NAS endpoint to trigger the flaw (‘the malicious HTTP request is aimed at exploiting the vulnerable endpoint of affected D-Link NAS devices’).
  • [T1078] Valid Accounts – The flaw reveals hard-coded credentials by manipulating the ‘user’ argument with ‘messagebus’ input, enabling credential-based access (‘manipulate the ‘user’ argument using the input ‘messagebus,’ thus revealing hard-coded credentials.’).
  • [T1203] Exploitation for Client Execution – The ‘system’ parameter can be manipulated to achieve command injection and execute arbitrary commands on the device (‘allows a remote attacker to manipulate the ‘system’ parameter, which leads to command injection.’).
  • [T1588] Obtain Capabilities – Public posting of exploit code on GitHub and sharing on a cybercrime forum facilitated rapid weaponization and reuse by other actors (‘disclosed initially by an individual … on GitHub’ and ‘TA sharing an exploit for CVE-2024-3273 over a cybercrime forum’).

Indicators of Compromise

  • [IP Address] Exploitation sources observed – 47.94.155.169, 8.134.81.86, and 20 other IPs observed attempting to exploit CVE-2024-3273.
  • [IP Address] Additional exploitation sources – 171.244.23.11, 120.79.250.151, and other listed addresses from CGSI observations.
  • [URL] Public exploit repositories and references – https://github.com/netsecfish/dlink, https://vuldb.com/?id.259284 (exploit/disclosure resources shared publicly).
  • [URL] Original analysis/source – https://cyble.com/blog/critical-d-link-nas-vulnerability-under-active-exploitation/ (Cyble report containing exploit screenshots and IOC listings).

Vulnerability exploitation targets the nas_sharing.cgi CGI on affected D-Link NAS firmware. CVE-2024-3272 allows an attacker to craft requests that manipulate the ‘user’ parameter (using input like ‘messagebus’) to disclose hard-coded credentials embedded in the device software; these credentials can then be used for authenticated access. CVE-2024-3273 enables command injection by controlling the ‘system’ parameter, permitting arbitrary command execution on the appliance; combined exploitation permits full control, as demonstrated by an attacker posting ‘id’ output showing UID 0 (root).

Proof-of-concept code and exploitation details were published publicly (GitHub) and reposted on a Russian cybercrime forum, accelerating weaponization and widespread scanning. Cyble’s sensors detected active exploitation attempts from April 9 onward and logged dozens of source IPs; at the time of reporting roughly 94,446 D-Link NAS instances remained exposed on the internet, including DNS-320L, DNS-325, DNS-327L, and DNS-340L (firmware up to 20240403), increasing the risk of large-scale compromise.

Technical mitigations: remove or isolate EOL/EOS D-Link NAS devices from public networks, apply vendor-recommended upgrades where available, block known malicious source IPs at the network perimeter, and monitor HTTP requests to nas_sharing.cgi for suspicious ‘user’ or ‘system’ parameter values. Preserve forensic logs and scan infrastructure for the listed IPs/URLs to identify successful exploit activity.

Read more: https://cyble.com/blog/critical-d-link-nas-vulnerability-under-active-exploitation/