D-Link DNS320L/325/327L/340L HTTP GET Command Injection via nas_sharing.cgi
CVE-2024-3273 Published on April 4, 2024
D-Link DNS-320L/DNS-325/DNS-327L/DNS-340L HTTP GET Request nas_sharing.cgi command injection
** UNSUPPORTED WHEN ASSIGNED ** A vulnerability, which was classified as critical, was found in D-Link DNS-320L, DNS-325, DNS-327L and DNS-340L up to 20240403. Affected is an unknown function of the file /cgi-bin/nas_sharing.cgi of the component HTTP GET Request Handler. The manipulation of the argument system leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-259284. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed immediately that the product is end-of-life. It should be retired and replaced.
Known Exploited Vulnerability
This D-Link Multiple NAS Devices Command Injection Vulnerability is part of CISA's list of Known Exploited Vulnerabilities. D-Link DNS-320L, DNS-325, DNS-327L, and DNS-340L contain a command injection vulnerability. When combined with CVE-2024-3272, this can lead to remote, unauthorized code execution.
The following remediation steps are recommended / required by May 2, 2024: This vulnerability affects legacy D-Link products. All associated hardware revisions have reached their end-of-life (EOL) or end-of-service (EOS) life cycle and should be retired and replaced per vendor instructions.
Timeline
Advisory disclosed
VulDB entry created
VulDB entry last update 8 days later.
Weakness Type
What is a Command Injection Vulnerability?
The software constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
CVE-2024-3273 has been classified to as a Command Injection vulnerability or weakness.
Products Associated with CVE-2024-3273
Want to know whenever a new CVE is published for D-Link products? stack.watch will email you.
Affected Versions
D-Link DNS-320L:- Version 20240403 is affected.
- Version 20240403 is affected.
- Version 20240403 is affected.
- Version 20240403 is affected.
- Version 20240403 is affected.
- Version 20240403 is affected.
- Version 20240403 is affected.
- Version 20240403 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.