Cyber Resilience

CVE-2024-3273

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 04 April 2024

Published
04 April 2024
Modified
30 October 2025
KEV Added
11 April 2024
Patch
CVSS Score v3.1 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.9443 100.0th percentile
Risk Priority 91 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-3273 is a high-severity Command Injection (CWE-77) vulnerability in Dlink Dns-320L Firmware. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SA-22 (Unsupported System Components) and SI-10 (Information Input Validation).

Deeper analysis

A critical command injection vulnerability (CWE-77) exists in the HTTP GET request handler of the file /cgi-bin/nas_sharing.cgi on D-Link DNS-320L, DNS-325, DNS-327L, and DNS-340L devices up to version 20240403. The flaw is triggered by unsanitized input to the system argument and permits unauthenticated remote attackers to execute arbitrary commands. The affected products are end-of-life, carry an “unsupported when assigned” status, and have no vendor fixes available.

An attacker with network access can send a crafted GET request to the CGI endpoint and obtain limited read, write, and execution capabilities on the device. Public exploit code has been released, and the issue can be triggered without user interaction or credentials, consistent with its CVSS 7.3 rating.

D-Link’s security advisory SAP10383 and associated vendor statements confirm the products are no longer supported and explicitly recommend retirement and replacement. No patches or mitigations are provided for these discontinued models. The associated EPSS score of 0.9443 indicates sustained public interest in exploitation since disclosure.

EU & UK References

Vulnerability details

** UNSUPPORTED WHEN ASSIGNED ** A vulnerability, which was classified as critical, was found in D-Link DNS-320L, DNS-325, DNS-327L and DNS-340L up to 20240403. Affected is an unknown function of the file /cgi-bin/nas_sharing.cgi of the component HTTP GET Request Handler.…

more

The manipulation of the argument system leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-259284. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed immediately that the product is end-of-life. It should be retired and replaced.

CWE(s)
KEV Date Added
11 April 2024

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
T1078.001 Default Accounts Stealth
Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
T1202 Indirect Command Execution Stealth
Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.
Why these techniques?

Public-facing CGI script vulnerable to unauthenticated command injection (T1190, T1059.004 Unix Shell, T1202 Indirect Command Execution) via backdoor hardcoded credentials (T1078.001 Default Accounts).

Affected Assets

dlink
dns-320l firmware
1.01.0702.2013, 1.03.0904.2013, 1.11
dlink
dns-120 firmware
all versions
dlink
dnr-202l firmware
all versions
dlink
dns-315l firmware
all versions
dlink
dns-320 firmware
all versions
dlink
dns-320lw firmware
all versions
dlink
dns-321 firmware
all versions
dlink
dnr-322l firmware
all versions
dlink
dns-323 firmware
all versions
dlink
dns-325 firmware
1.01
+10 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires replacement of EOL components whose lack of vendor support leaves the command-injection flaw in nas_sharing.cgi permanently unpatched.

prevent

Mandates validation and sanitization of the untrusted 'system' argument supplied to the HTTP GET handler, blocking the command-injection vector at the point of input.

prevent

Enforces access-control policy on the CGI endpoint so that unauthenticated remote requests cannot reach the vulnerable function.

References