rear of a D-Link DNS-325
Detail of the back of a D-Link DNS-325.

Vulnerabilities in end-of-life D-Link devices are being exploited, CISA says

The U.S. government has confirmed reports by cybersecurity companies and researchers that some older D-Link devices are being exploited by threat actors.

The Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2024-3273 and CVE-2024-3272 to its Known Exploited Vulnerabilities list on Thursday, warning federal agencies that they have until May 2 to retire or replace D-Link hardware that in some cases could be a decade old. 

The network-attached devices are used to store and access files remotely. Since Monday, researchers at cybersecurity organizations GreyNoise and ShadowServer have reported that the devices are being attacked widely following the release of an advisory by D-Link about the vulnerabilities on April 4.

GreyNoise warned that as many as 92,000 devices may be at risk of exploitation due to the vulnerabilities. The affected models are DNS-320L, DNS-325, DNS-327L, and DNS-340L. 

D-Link said it was told about the vulnerabilities by a researcher on March 26 and warned customers that the devices had reached their end of life and would no longer receive device software updates and security patches. 

The devices are “no longer supported by D-Link” the company said, writing that they recommend they “be retired and replaced.”

“Typically for these products, D-Link will be unable to resolve device or firmware issues since all development and customer support has ceased,” D-Link said. “D-Link strongly recommends that this product be retired and cautions that any further use of this product may be a risk to devices connected to it.”

ShadowServer said exploits and proof of concept (POC) code is available — meaning that without a patch, the devices are vulnerable with no remedy. Bleeping Computer was first to report on the vulnerabilities. 

GreyNoise noted that the attack method to exploit the bugs is typically used by “botnet operators to try to execute malware for every possible CPU architecture in the expectation that at least one will work.”

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Jonathan Greig

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.