10
CVE-2024-3272
- EPSS 94.15%
- Published 04.04.2024 01:15:50
- Last modified 29.11.2024 16:45:43
- Source cna@vuldb.com
- Teams watchlist Login
- Open Login
** UNSUPPORTED WHEN ASSIGNED ** A vulnerability, which was classified as very critical, has been found in D-Link DNS-320L, DNS-325, DNS-327L and DNS-340L up to 20240403. This issue affects some unknown processing of the file /cgi-bin/nas_sharing.cgi of the component HTTP GET Request Handler. The manipulation of the argument user with the input messagebus leads to hard-coded credentials. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-259283. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed immediately that the product is end-of-life. It should be retired and replaced.
Data is provided by the National Vulnerability Database (NVD)
Dlink ≫ Dns-320l Firmware Version1.01.0702.2013
Dlink ≫ Dns-320l Firmware Version1.03.0904.2013
Dlink ≫ Dns-320l Firmware Version1.11
Dlink ≫ Dns-120 Firmware Version-
Dlink ≫ Dnr-202l Firmware Version-
Dlink ≫ Dns-315l Firmware Version-
Dlink ≫ Dns-320 Firmware Version-
Dlink ≫ Dns-320lw Firmware Version-
Dlink ≫ Dns-321 Firmware Version-
Dlink ≫ Dnr-322l Firmware Version-
Dlink ≫ Dns-323 Firmware Version-
Dlink ≫ Dns-325 Firmware Version1.01
Dlink ≫ Dns-326 Firmware Version-
Dlink ≫ Dns-327l Firmware Version1.00.0409.2013
Dlink ≫ Dns-327l Firmware Version1.09
Dlink ≫ Dnr-326 Firmware Version-
Dlink ≫ Dns-340l Firmware Version1.08
Dlink ≫ Dns-343 Firmware Version-
Dlink ≫ Dns-345 Firmware Version-
Dlink ≫ Dns-726-4 Firmware Version-
Dlink ≫ Dns-1100-4 Firmware Version-
Dlink ≫ Dns-1200-05 Firmware Version-
Dlink ≫ Dns-1550-04 Firmware Version-
11.04.2024: CISA Known Exploited Vulnerabilities (KEV) Catalog
D-Link Multiple NAS Devices Use of Hard-Coded Credentials Vulnerability
VulnerabilityD-Link DNS-320L, DNS-325, DNS-327L, and DNS-340L contains a hard-coded credential that allows an attacker to conduct authenticated command injection, leading to remote, unauthorized code execution.
DescriptionThis vulnerability affects legacy D-Link products. All associated hardware revisions have reached their end-of-life (EOL) or end-of-service (EOS) life cycle and should be retired and replaced per vendor instructions.
Required actions| Type | Source | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 94.15% | 0.999 |
| Source | Base Score | Exploit Score | Impact Score | Vector string |
|---|---|---|---|---|
| nvd@nist.gov | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
| cna@vuldb.com | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
| cna@vuldb.com | 10 | 10 | 10 |
AV:N/AC:L/Au:N/C:C/I:C/A:C
|
CWE-798 Use of Hard-coded Credentials
The product contains hard-coded credentials, such as a password or cryptographic key.