CVE-2024-3273
Published: 04 April 2024
Summary
CVE-2024-3273 is a high-severity Command Injection (CWE-77) vulnerability in Dlink Dns-320L Firmware. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SA-22 (Unsupported System Components) and SI-10 (Information Input Validation).
Deeper analysis
A critical command injection vulnerability (CWE-77) exists in the HTTP GET request handler of the file /cgi-bin/nas_sharing.cgi on D-Link DNS-320L, DNS-325, DNS-327L, and DNS-340L devices up to version 20240403. The flaw is triggered by unsanitized input to the system argument and permits unauthenticated remote attackers to execute arbitrary commands. The affected products are end-of-life, carry an “unsupported when assigned” status, and have no vendor fixes available.
An attacker with network access can send a crafted GET request to the CGI endpoint and obtain limited read, write, and execution capabilities on the device. Public exploit code has been released, and the issue can be triggered without user interaction or credentials, consistent with its CVSS 7.3 rating.
D-Link’s security advisory SAP10383 and associated vendor statements confirm the products are no longer supported and explicitly recommend retirement and replacement. No patches or mitigations are provided for these discontinued models. The associated EPSS score of 0.9443 indicates sustained public interest in exploitation since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-31863
Vulnerability details
** UNSUPPORTED WHEN ASSIGNED ** A vulnerability, which was classified as critical, was found in D-Link DNS-320L, DNS-325, DNS-327L and DNS-340L up to 20240403. Affected is an unknown function of the file /cgi-bin/nas_sharing.cgi of the component HTTP GET Request Handler.…
more
The manipulation of the argument system leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-259284. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed immediately that the product is end-of-life. It should be retired and replaced.
- CWE(s)
- KEV Date Added
- 11 April 2024
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Public-facing CGI script vulnerable to unauthenticated command injection (T1190, T1059.004 Unix Shell, T1202 Indirect Command Execution) via backdoor hardcoded credentials (T1078.001 Default Accounts).
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires replacement of EOL components whose lack of vendor support leaves the command-injection flaw in nas_sharing.cgi permanently unpatched.
Mandates validation and sanitization of the untrusted 'system' argument supplied to the HTTP GET handler, blocking the command-injection vector at the point of input.
Enforces access-control policy on the CGI endpoint so that unauthenticated remote requests cannot reach the vulnerable function.