Back to KEVs

CVE-2024-3273

D-Link DNS-320L/DNS-325/DNS-327L/DNS-340L HTTP GET Request nas_sharing.cgi command injection

Basic Information

CVE State
PUBLISHED
Reserved Date
April 03, 2024
Published Date
April 04, 2024
Last Updated
August 01, 2024
Vendor
D-Link
Product
DNS-320L, DNS-325, DNS-327L, DNS-340L
Description
** UNSUPPORTED WHEN ASSIGNED ** A vulnerability, which was classified as critical, was found in D-Link DNS-320L, DNS-325, DNS-327L and DNS-340L up to 20240403. Affected is an unknown function of the file /cgi-bin/nas_sharing.cgi of the component HTTP GET Request Handler. The manipulation of the argument system leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-259284. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed immediately that the product is end-of-life. It should be retired and replaced. Es wurde eine Schwachstelle in D-Link DNS-320L, DNS-325, DNS-327L and DNS-340L bis 20240403 gefunden. Sie wurde als kritisch eingestuft. Betroffen hiervon ist ein unbekannter Ablauf der Datei /cgi-bin/nas_sharing.cgi der Komponente HTTP GET Request Handler. Durch die Manipulation des Arguments system mit unbekannten Daten kann eine command injection-Schwachstelle ausgenutzt werden. Umgesetzt werden kann der Angriff über das Netzwerk. Der Exploit steht zur öffentlichen Verfügung.

CVSS Scores

CVSS v3.1

7.3 - HIGH

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CVSS v3.0

7.3 - HIGH

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

SSVC Information

Exploitation
Active
Automatable
Yes
Technical Impact
Total

Exploit Status

Exploited in the Wild
Yes (added 2024-04-11 00:00:00 UTC) Source
Proof of Concept Available
Yes (added 2024-04-09 12:26:37 UTC) Source

References

https://vuldb.com/?id.259284 https://vuldb.com/?ctiid.259284 https://vuldb.com/?submit.304661 https://github.com/netsecfish/dlink https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10383

Known Exploited Vulnerability Information

Source Added Date
CISA 2024-04-11 00:00:00 UTC

Scanner Integrations

Scanner URL Date Detected
Nuclei https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-3273.yaml 2025-04-26 00:00:00 UTC

Potential Proof of Concepts

Warning: These PoCs have not been tested and could contain malware. Use at your own risk.

ThatNotEasy/CVE-2024-3273

Type: github • Created: 2024-04-10 00:27:02 UTC • Stars: 5

D-Link NAS Command Execution Exploit

K3ysTr0K3R/CVE-2024-3273-EXPLOIT

Type: github • Created: 2024-04-09 12:26:37 UTC • Stars: 3

A PoC exploit for CVE-2024-3273 - D-Link Remote Code Execution RCE

adhikara13/CVE-2024-3273

Type: github • Created: 2024-04-07 15:36:18 UTC • Stars: 13

Exploit for CVE-2024-3273, supports single and multiple hosts

Chocapikk/CVE-2024-3273

Type: github • Created: 2024-04-07 03:09:13 UTC • Stars: 95

D-Link NAS CVE-2024-3273 Exploit Tool