Thursday, April 11, 2024

CISA Adds 2 NAS Vulnerabilities to KEV Catalog

Today, CISA added two new vulnerabilities to their Known Exploited Vulnerabilities Catalog, both for multiple NAS devices from D-Link. The two vulnerabilities are:

• Use of hard-coded credentials - CVE-2024-3272, and

• Command injection - CVE-2024-3273

NOTE: Both of the links above apply to both vulnerabilities.

While not included in the KEV addition notice, the CVE record for -3273 includes the following in the KEV notice for the CVE:

“This vulnerability affects legacy D-Link products. All associated hardware revisions have reached their end-of-life (EOL) or end-of-service (EOS) life cycle and should be retired and replaced per vendor instructions.”

On an odd note (and a brief commentary on the continuing problems) only the -3273 CVE entry notes that the CVE has been listed in the KEV Catalog. The -3272 entry currently (2113 EDT, 4-11-24) does not mention that the CVE has been so listed.

No comments:

/* Use this with templates/template-twocol.html */