HIGH🚩 CISA KEV⚡ EXPLOIT🇵🇱 Wersja polska

CVE-2024-3273

CVSS 7.3v3.1pub. 2024-04-04upd. 2025-10-30

** UNSUPPORTED WHEN ASSIGNED ** A vulnerability, which was classified as critical, was found in D-Link DNS-320L, DNS-325, DNS-327L and DNS-340L up to 20240403. Affected is an unknown function of the file /cgi-bin/nas_sharing.cgi of the component HTTP GET Request Handler. The manipulation of the argument system leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-259284. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed immediately that the product is end-of-life. It should be retired and replaced.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
  • Dlink Dnr 202l

    HW
    Dlink
    wszystkie wersje
  • Dlink Dnr 202l Firmware

    OS
    Dlink
    wszystkie wersje
  • Dlink Dnr 322l

    HW
    Dlink
    wszystkie wersje
  • Dlink Dnr 322l Firmware

    OS
    Dlink
    wszystkie wersje
  • Dlink Dnr 326

    HW
    Dlink
    wszystkie wersje
  • Dlink Dnr 326 Firmware

    OS
    Dlink
    wszystkie wersje
  • Dlink Dns 1100 4

    HW
    Dlink
    wszystkie wersje
  • Dlink Dns 1100 4 Firmware

    OS
    Dlink
    wszystkie wersje
  • Dlink Dns 120

    HW
    Dlink
    wszystkie wersje
  • Dlink Dns 1200 05

    HW
    Dlink
    wszystkie wersje
  • Dlink Dns 1200 05 Firmware

    OS
    Dlink
    wszystkie wersje
  • Dlink Dns 120 Firmware

    OS
    Dlink
    wszystkie wersje
  • Dlink Dns 1550 04

    HW
    Dlink
    wszystkie wersje
  • Dlink Dns 1550 04 Firmware

    OS
    Dlink
    wszystkie wersje
  • Dlink Dns 315l

    HW
    Dlink
    wszystkie wersje
  • Dlink Dns 315l Firmware

    OS
    Dlink
    wszystkie wersje
  • Dlink Dns 320

    HW
    Dlink
    wszystkie wersje
  • Dlink Dns 320 Firmware

    OS
    Dlink
    wszystkie wersje
  • Dlink Dns 320l

    HW
    Dlink
    wszystkie wersje
  • Dlink Dns 320l Firmware

    OS
    Dlink
    1.01.0702.20131.03.0904.20131.11
  • Dlink Dns 320lw

    HW
    Dlink
    wszystkie wersje
  • Dlink Dns 320lw Firmware

    OS
    Dlink
    wszystkie wersje
  • Dlink Dns 321

    HW
    Dlink
    wszystkie wersje
  • Dlink Dns 321 Firmware

    OS
    Dlink
    wszystkie wersje
  • Dlink Dns 323

    HW
    Dlink
    wszystkie wersje
  • Dlink Dns 323 Firmware

    OS
    Dlink
    wszystkie wersje
  • Dlink Dns 325

    HW
    Dlink
    wszystkie wersje
  • Dlink Dns 325 Firmware

    OS
    Dlink
    1.01
  • Dlink Dns 326

    HW
    Dlink
    wszystkie wersje
  • Dlink Dns 326 Firmware

    OS
    Dlink
    wszystkie wersje

CISA KEV — detailsi

Vendori
D-Link
Producti
Multiple NAS Devices
Added to KEVi
April 11, 2024
Remediation deadline (US Federal)i
May 2, 2024(overdue)
Required action (CISA)i

This vulnerability affects legacy D-Link products. All associated hardware revisions have reached their end-of-life (EOL) or end-of-service (EOS) life cycle and should be retired and replaced per vendor instructions.

CISA descriptioni

D-Link DNS-320L, DNS-325, DNS-327L, and DNS-340L contain a command injection vulnerability. When combined with CVE-2024-3272, this can lead to remote, unauthorized code execution.

🔴
IMMEDIATE ACTION
Actively exploited in the wild (CISA KEV). Patch immediately.
CISA DEADLINE: 2 maja 2024
CWE
References

Related vulnerabilities

CVE-2024-3272CRITICAL9.8⚠ KEVPL ✓ten sam produkt

D-Link DNS-320L/325/327L/340L — zakodowane na stałe poświadczenia (hard-coded credentials)

CVE-2020-25506CRITICAL9.8⚠ KEVten sam produkt

D-Link DNS-320 FW v2.06B01 Revision Ax is affected by command injection in the system_mgr.cgi component, which...

CVE-2019-16057CRITICAL9.8⚠ KEVten sam produkt

The login_mgr.cgi script in D-Link DNS-320 through 2.05.B10 is vulnerable to remote command injection.

CVE-2018-25120CRITICAL9.3PL ✓ten sam produkt

Command injection w D-Link DNS-343 ShareCenter – zdalny dostęp root

CVE-2024-10914CRITICAL9.2PL ✓ten sam produkt

Command injection w D-Link DNS-320/325/340L — zdalne wykonanie poleceń OS