Cyber Resilience

CVE-2024-3272

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 04 April 2024

Published
04 April 2024
Modified
30 October 2025
KEV Added
11 April 2024
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9411 99.9th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-3272 is a critical-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Dlink Dns-320L Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Default Accounts (T1078.001); ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SA-22 (Unsupported System Components).

Deeper analysis

CVE-2024-3272 is a hard-coded credentials vulnerability, assigned CWE-798, that affects the HTTP GET Request Handler component in legacy D-Link DNS-320L, DNS-325, DNS-327L, and DNS-340L network-attached storage devices up to 20240403. The flaw resides in the file /cgi-bin/nas_sharing.cgi, where supplying the value "messagebus" to the user argument bypasses authentication via embedded credentials. The issue is marked unsupported and end-of-life by the vendor, with a CVSS 3.1 base score of 9.8 reflecting network-accessible attack complexity that is low and no required privileges or user interaction.

An unauthenticated remote attacker can exploit the weakness over the network to obtain administrative access, resulting in complete loss of confidentiality, integrity, and availability on the affected device. Public exploit code has been released, enabling straightforward remote code execution or data exfiltration on any reachable, unpatched unit.

D-Link's security advisory SAP10383 and direct vendor statements confirm that the products are no longer supported, explicitly advising retirement and replacement rather than patching. The associated EPSS score of 0.9411, with a recorded peak of 0.9417, reflects sustained high exploitation likelihood following disclosure.

EU & UK References

Vulnerability details

** UNSUPPORTED WHEN ASSIGNED ** A vulnerability, which was classified as very critical, has been found in D-Link DNS-320L, DNS-325, DNS-327L and DNS-340L up to 20240403. This issue affects some unknown processing of the file /cgi-bin/nas_sharing.cgi of the component HTTP…

more

GET Request Handler. The manipulation of the argument user with the input messagebus leads to hard-coded credentials. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-259283. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed immediately that the product is end-of-life. It should be retired and replaced.

CWE(s)
KEV Date Added
11 April 2024

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1078.001 Default Accounts Stealth
Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Hardcoded backdoor credentials (user=messagebus) enable abuse of default accounts (T1078.001). The CGI endpoint vulnerability allows remote exploitation of a public-facing application (T1190) leading to command injection and arbitrary Unix shell execution (T1059.004).

Affected Assets

dlink
dns-320l firmware
1.01.0702.2013, 1.03.0904.2013, 1.11
dlink
dns-120 firmware
all versions
dlink
dnr-202l firmware
all versions
dlink
dns-315l firmware
all versions
dlink
dns-320 firmware
all versions
dlink
dns-320lw firmware
all versions
dlink
dns-321 firmware
all versions
dlink
dnr-322l firmware
all versions
dlink
dns-323 firmware
all versions
dlink
dns-325 firmware
1.01
+10 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires replacement or isolation of the end-of-life D-Link NAS devices that contain the hardcoded credential flaw and receive no patches.

prevent

Enforces access-control decisions on the HTTP handler so that the 'messagebus' hardcoded credential cannot bypass authentication.

prevent

Requires secure authenticator generation and prohibits embedded or default credentials such as the one exploited in nas_sharing.cgi.

References