top of page

D-Link NAS Command Injection and Backdoor Account (CVE-2024-3273)

Appliances Details

Network attached storage (NAS) devices make it easy to share a pool of storage between an entire network of computers and other devices.


A critical vulnerability was found in the following D-Link NAS models; DNS-320L, DNS-325, DNS-327L and DNS-340L, which could be used to run malicious code, steal sensitive data, and mount denial-of-service (DoS) attacks.


Affected is an unknown function of the file /cgi-bin/nas_sharing.cgi of the component HTTP GET Request Handler.

The vulnerability exists in the nas_sharing.cgi CGI script, which leads to:

  • Backdoor through Username and Password Exposure: The request includes parameters for a username (user=messagebus) and an empty password field (passwd=). This indicates a backdoor allowing unauthorized access without proper authentication.

  • Command Injection through the System Parameter: The system parameter within the request carries a base64 encoded value that, when decoded, appears to be a command.

GET /cgi-bin/nas_sharing.cgi?user=messagebus&passwd=&cmd=15&system=ZWNobwlzQ1R0ekdEeVZxT0NVZVVicQ==


By turning this into a traffic file and matching rule, we are able to detect attempts to steal sensitive data or perform DoS attacks, by injecting malicious commands


Idappcom have created signature 8024812 along with a traffic file for this vulnerability.


Traffic IQ

If you are concerned that your business may be at risk of this vulnerability or others why not try out our Traffic IQ software which can scan your defences and report any issues. Learn more here:


bottom of page