Thousands of outdated D-Link network-attached storage (NAS) devices contain a backdoor account that could be exploited by hackers for system takeover.

The issue (CVE-2024-3272) was discovered by a security researcher known online as NetSecFish (NetworkSecurityFish). The vulnerability stems from the presence of hard-coded credentials in the application code.

Furthermore, NetSecFish spotted another shortcoming - an OS command injection flaw (CVE-2024-3273) that could be abused by a remote hacker to execute arbitrary OS commands on the target system via specially crafted data.

The list of impacted models includes DNS-320L version 1.11, version 1.03.0904.2013, version 1.01.0702.2013; DNS-325 version 1.01; DNS-327L version 1.09, version 1.00.0409.2013; DNS-340L version 1.08.

According to the researcher, there are more than 92,000 vulnerable D-Link NAS devices exposed on the internet. For its part, D-Link said it will not release fixes for the flaws, as the above-mentioned products are no longer supported. The company recommended that users replace the outdated devices with products that receive firmware updates.