CVE-2024-3272
Published: 04 April 2024
Summary
CVE-2024-3272 is a critical-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Dlink Dns-320L Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Default Accounts (T1078.001); ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SA-22 (Unsupported System Components).
Deeper analysis
CVE-2024-3272 is a hard-coded credentials vulnerability, assigned CWE-798, that affects the HTTP GET Request Handler component in legacy D-Link DNS-320L, DNS-325, DNS-327L, and DNS-340L network-attached storage devices up to 20240403. The flaw resides in the file /cgi-bin/nas_sharing.cgi, where supplying the value "messagebus" to the user argument bypasses authentication via embedded credentials. The issue is marked unsupported and end-of-life by the vendor, with a CVSS 3.1 base score of 9.8 reflecting network-accessible attack complexity that is low and no required privileges or user interaction.
An unauthenticated remote attacker can exploit the weakness over the network to obtain administrative access, resulting in complete loss of confidentiality, integrity, and availability on the affected device. Public exploit code has been released, enabling straightforward remote code execution or data exfiltration on any reachable, unpatched unit.
D-Link's security advisory SAP10383 and direct vendor statements confirm that the products are no longer supported, explicitly advising retirement and replacement rather than patching. The associated EPSS score of 0.9411, with a recorded peak of 0.9417, reflects sustained high exploitation likelihood following disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-31862
Vulnerability details
** UNSUPPORTED WHEN ASSIGNED ** A vulnerability, which was classified as very critical, has been found in D-Link DNS-320L, DNS-325, DNS-327L and DNS-340L up to 20240403. This issue affects some unknown processing of the file /cgi-bin/nas_sharing.cgi of the component HTTP…
more
GET Request Handler. The manipulation of the argument user with the input messagebus leads to hard-coded credentials. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-259283. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed immediately that the product is end-of-life. It should be retired and replaced.
- CWE(s)
- KEV Date Added
- 11 April 2024
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Hardcoded backdoor credentials (user=messagebus) enable abuse of default accounts (T1078.001). The CGI endpoint vulnerability allows remote exploitation of a public-facing application (T1190) leading to command injection and arbitrary Unix shell execution (T1059.004).
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires replacement or isolation of the end-of-life D-Link NAS devices that contain the hardcoded credential flaw and receive no patches.
Enforces access-control decisions on the HTTP handler so that the 'messagebus' hardcoded credential cannot bypass authentication.
Requires secure authenticator generation and prohibits embedded or default credentials such as the one exploited in nas_sharing.cgi.