D-Link is telling owners of expired NAS devices to pack them away and replace them with newer kits following the publication of security flaws that together are now being actively exploited.
How to: Configure a NAS (D-LINK 320L)
It doesn't help that the devices, which reached their end-of-life (EOS) date several years ago, have a backdoor (CVE-2024-3272, CVSS: 9.8 – critical) enabled by hard-coded credentials (username: messagebus, plus an empty password field).
This, combined with a command injection bug (CVE-2024-3273, CVSS: 7.3 – high) means that attackers can perform remote code execution (RCE) on the device, and with it do all possible follow-up activities. User data is believed to be at risk.
The problems were first published by a researcher using the alias "netsecfish" on March 26, who at the time could only recommend applying vendor patches that would never arrive.
