CVE-2009-2765
published 2009-08-14CVE-2009-2765: httpd.c in httpd in the management GUI in DD-WRT 24 sp1, and other versions before build 12533, allows remote attackers to execute arbitrary commands via shell…
PriorityP180high8.3CVSS 2.0
AVAACLAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
82.50%
99.6th percentile
httpd.c in httpd in the management GUI in DD-WRT 24 sp1, and other versions before build 12533, allows remote attackers to execute arbitrary commands via shell metacharacters in a request to a cgi-bin/ URI.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dd-wrt | dd-wrt | <= 24 | — |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible DD-WRT Metacharacter Injection Command Execution Attempt"; flow:established,to_server; http.uri; content:"/cgi-bin/|3B|"; nocase; pcre:"/\x2Fcgi\x2Dbin\x2F\x3B.+[a-z]/i"; reference:url,isc.sans.org/diary.html?storyid=6853; reference:url,www.theregister.co.uk/2009/07/21/critical_ddwrt_router_vuln/; reference:url,www.dd-wrt.com/phpBB2/viewtopic.php?t=55173; reference:bid,35742; reference:cve,2009-2765; classtype:attempted-admin; sid:2009678; rev:10; metadata:created_at 2010_07_30, cve CVE_2009_2765, confidence Medium, signature_severity Major, updated_at 2024_03_06;)
- →Detect HTTP GET requests to paths matching /cgi-bin/; (semicolon immediately after cgi-bin/) — the semicolon is the shell metacharacter injection point. In network traffic this appears as the URL-encoded byte 0x3B (|3B|) following /cgi-bin/.
- →Whitespace in injected commands is replaced with the shell variable $IFS to bypass simple space-based filters; look for $IFS in HTTP URI fields as a strong indicator of exploitation. ↗
- →The exploit payload pattern echo${IFS}-ne${IFS} piped to /bin/sh in the URI is a reliable indicator of the Metasploit module's encoded command execution technique. ↗
- →The vulnerability is exploitable via CSRF — a crafted img tag or link on a third-party page can trigger the attack against a DD-WRT router owner without requiring an authenticated session. ↗
- →The httpd process runs as root on affected DD-WRT devices; any successful command injection via /cgi-bin/; results in immediate root-level code execution. ↗
- →The exploit writes a temporary shell script to /tmp/exec.tmp before execution; presence of this file on a DD-WRT device may indicate post-exploitation activity. ↗
- ·By default, DD-WRT's httpd does not listen on the WAN (outbound) interface, limiting direct remote exploitation; however, CSRF-based attacks bypass this restriction entirely. ↗
- ·The vulnerability affects DD-WRT 24 sp1 and all builds prior to build 12533; detections should be scoped to devices running firmware older than build 12533. ↗
- ·The Metasploit module requires a payload compatible with 'generic netcat-e'; other payload types may not function correctly against this target. ↗
CVSS provenance
nvdv2.08.3HIGHAV:A/AC:L/Au:N/C:C/I:C/A:C
vulncheck8.3HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-p3rr-cvjw-cgxr: httpd
ghsa_unreviewed·2022-05-02
CVE-2009-2765 [HIGH] CWE-20 GHSA-p3rr-cvjw-cgxr: httpd
httpd.c in httpd in the management GUI in DD-WRT 24 sp1, and other versions before build 12533, allows remote attackers to execute arbitrary commands via shell metacharacters in a request to a cgi-bin/ URI.
VulnCheck
dd-wrt dd-wrt Improper Input Validation
vulncheck·2009·CVSS 8.3
CVE-2009-2765 [HIGH] dd-wrt dd-wrt Improper Input Validation
dd-wrt dd-wrt Improper Input Validation
httpd.c in httpd in the management GUI in DD-WRT 24 sp1, and other versions before build 12533, allows remote attackers to execute arbitrary commands via shell metacharacters in a request to a cgi-bin/ URI.
Affected: dd-wrt dd-wrt
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.akamai.com/blog/security/latest-echobot-26-infection-vectors; https://www.researchgate.net/publication/348602660_An_analysis_of_the_use_of_CVEs_by_IoT_malware; https://www.fortinet.com/blog/threat-research/shadowv2-casts-a-shadow-over-iot-devices
Suricata
ET WEB_SERVER Possible DD-WRT Metacharacter Injection Command Execution Attempt
suricata·2010-07-30
CVE-2009-2765 ET WEB_SERVER Possible DD-WRT Metacharacter Injection Command Execution Attempt
ET WEB_SERVER Possible DD-WRT Metacharacter Injection Command Execution Attempt
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible DD-WRT Metacharacter Injection Command Execution Attempt"; flow:established,to_server; http.uri; content:"/cgi-bin/|3B|"; nocase; pcre:"/\x2Fcgi\x2Dbin\x2F\x3B.+[a-z]/i"; reference:url,isc.sans.org/diary.html?storyid=6853; reference:url,www.theregister.co.uk/2009/07/21/critical_ddwrt_router_vuln/; reference:url,www.dd-wrt.com/phpBB2/viewtopic.php?t=55173; reference:bid,35742; reference:cve,2009-2765; classtype:attempted-admin; sid:2009678; rev:10; metadata:created_at 2010_07_30, cve CVE_2009_2765, confidence Medium, signature_severity Major, updated_at 2024_03_06;)
Exploit-DB
Belkin F5D7234-4 v5 G Wireless Router - Remote Hash Exposed
exploitdb·2011-05-30
CVE-2012-2765 Belkin F5D7234-4 v5 G Wireless Router - Remote Hash Exposed
Belkin F5D7234-4 v5 G Wireless Router - Remote Hash Exposed
---
+-----------------------------------------+
| Belkin G Wireless Router Admin Exploit. |
+-----------------------------------------+
Firmware Version : 5.00.12 (Sep 10 2009 19:54:12)
Boot Version : 1.18
Hardware : F5D7234-4 v5 (01)
Author : Aodrulez.
Email : [email protected]
Twitter : http://twitter.com/Aodrulez
+---------+
| Details |
+---------+
The router's web interface reveals the Administrator Password's
MD5 Hash. Its even possbile to bypass the login completely.
+---------+
| Exploit |
+---------+
#/usr/bin/perl
use LWP::Simple;
print "\n Aodrulez's 'Belkin G Wireless Router' Admin Exploit\n";
print "\n ---------------------------------------------------\n\n";
print "[+] Enter the Router's IP Address : ";
my
Exploit-DB
DD-WRT HTTPd Daemon/Service - Arbitrary Command Execution (Metasploit)
exploitdb·2010-07-07
CVE-2009-2765 DD-WRT HTTPd Daemon/Service - Arbitrary Command Execution (Metasploit)
DD-WRT HTTPd Daemon/Service - Arbitrary Command Execution (Metasploit)
---
##
# $Id: ddwrt_cgibin_exec.rb 9719 2010-07-07 17:38:59Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 [ /DD-WRT/ ] }
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'DD-WRT HTTP Daemon Arbitrary Command Execution',
'Description' => %q{
This module abuses a metacharacter injection vulnerability in the
HTTP management server of wireless gateways running DD-WRT. This flaw
allows an unauthenticated attacker
Exploit-DB
DD-WRT HTTPd Daemon/Service - Remote Command Execution
exploitdb·2009-07-20
CVE-2009-2766 DD-WRT HTTPd Daemon/Service - Remote Command Execution
DD-WRT HTTPd Daemon/Service - Remote Command Execution
---
This is a remote root vulnerability in DD-WRT's httpd server. The bug exists
at the latest 24 sp1 version of the firmware.
The problem is due to many bugs and bad software design decisions. Here is
part of httpd.c:
859 if (containsstring(file, "cgi-bin")) {
860
861 auth_fail = 0;
862 if (!do_auth
863 (conn_fp, auth_userid, auth_passwd, auth_realm,
864 authorization, auth_check))
865 auth_fail = 1;
......... (snip)............
899
900 }
901 exec = fopen("/tmp/exec.tmp", "wb");
902 fprintf(exec, "export REQUEST_METHOD=\"%s\"\n", method);
903 if (query)
904 fprintf(exec, "/bin/sh %s/%s/tmp/shellout.asp");
........... (snip)..........
926 if (auth_fail == 1) {
927 send_authenticate(auth_realm);
928 auth_fail = 0;
3) issue 3:
Exploit-DB
DD-WRT HTTP v24-SP1 - Command Injection
exploitdb·2009-07-20
CVE-2009-2765 DD-WRT HTTP v24-SP1 - Command Injection
DD-WRT HTTP v24-SP1 - Command Injection
---
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'DD-WRT HTTP Daemon Arbitrary Command Execution',
'Description' => %q{
This module abuses a metacharacter injection vulnerability in the
HTTP management server of wireless gateways running DD-WRT. This flaw
allows an unauthenticated attacker to execute arbitrary commands as
the root user account.
},
'Author' => [ 'gat3way', 'hdm' ],
'License' => MSF_LICENSE,
'Version' => '$Revision$',
'References' =>
[
[ 'CVE', '2009-2765'],
[ 'OSVDB', '55
Metasploit
DD-WRT HTTP Daemon Arbitrary Command Execution
metasploit
DD-WRT HTTP Daemon Arbitrary Command Execution
DD-WRT HTTP Daemon Arbitrary Command Execution
This module abuses a metacharacter injection vulnerability in the HTTP management server of wireless gateways running DD-WRT. This flaw allows an unauthenticated attacker to execute arbitrary commands as the root user account.
Fortinet
ShadowV2 Casts a Shadow Over IoT Devices | FortiGuard Lab
blogs_fortinet·2025-11-26
ShadowV2 Casts a Shadow Over IoT Devices | FortiGuard Lab
FORTIGUARD LABS THREAT RESEARCH
ShadowV2 Casts a Shadow Over IoT Devices | FortiGuard Lab
Inside the Latest Mirai Variant Targeting IoT Devices Worldwide
FORTIGUARD SECURITY PORTFOLIO 2025 THREAT LANDSCAPE REPORT
Incidents
Malware Analysis
Conclusion
Fortinet Protections
IOCs
Hosts
Files
By Vincent Li | November 26, 2025
Affected Platforms: DD-WRT 24 sp1, D-Link DNS-320 FW v2.06B01 Revision Ax, D-Link Go-RT-AC750 GORTAC750_revA_v101b03, D-Link GO-RT-AC750_revB_FWv200b02, Digiever DS-2105 Pro 3.1.0.71-11, TBK DVR-4104, TBK DVR-4216, D-Link DNS-320, D-Link DNS-320LW, D-Link DNS-325, D-Link DNS-340L, TP-Link Archer router series
Impacted Users: Any organization
Impact: Remote attackers gain control of the vulnerable systems
Severity Level: High
At the end of October, during a global disr
Bleepingcomputer
New ShadowV2 botnet malware used AWS outage as a test opportunity
blogs_bleepingcomputer·2025-11-26·CVSS 8.3
[HIGH] New ShadowV2 botnet malware used AWS outage as a test opportunity
## New ShadowV2 botnet malware used AWS outage as a test opportunity
## Bill Toulas
A new Mirai-based botnet malware named ‘ShadowV2’ has been observed targeting IoT devices from D-Link, TP-Link, and other vendors with exploits for known vulnerabilities.
Fortinet’s FortiGuard Labs researchers spotted the activity during the major AWS outage in October . Although the two incidents are not connected, the botnet was active only for the duration of the outage, which may indicate that it was a test run.
ShadowV2 spread by leveraging at least eight vulnerabilities in multiple IoT products:
DD-WRT (CVE-2009-2765)
D-Link (CVE-2020-25506, CVE-2022-37055, CVE-2024-10914, CVE-2024-10915)
DigiEver (CVE-2023-52163)
TBK (CVE-2024-3721)
TP-Link (CVE-2024-53375)
Among these flaws, CVE-2024-10914
Unit42
Mirai Variant ECHOBOT Resurfaces with 13 Previously Unexploited Vulnerabilities
blogs_unit42·2019-12-13
Mirai Variant ECHOBOT Resurfaces with 13 Previously Unexploited Vulnerabilities
Threat Research Center
Threat Research
Malware
## Mirai Variant ECHOBOT Resurfaces with 13 Previously Unexploited Vulnerabilities
Ruchna Nigam
Published: December 13, 2019
Malware
Threat Research
Vulnerabilities
Echobot
IoT
IoT Vulnerability
Mirai
Mirai variant
## Executive Summary
Since the discovery of the Mirai variant using the binary name ECHOBOT in May 2019, it has resurfaced from time to time, using new infrastructure, and more remarkably, adding to the list of vulnerabilities it scans for, as a means to increase its attack surface with each evolution.
Unlike other Mirai variants, this particular variant stands out for the sheer number of exploits it incorporates, with the latest version having a total of 71 unique exploits, 13 of which haven’t been seen exploite
Unit42
Mirai Variant ECHOBOT Resurfaces with 13 Previously Unexploited Vulnerabilities
blogs_unit42·2019-12-13
Mirai Variant ECHOBOT Resurfaces with 13 Previously Unexploited Vulnerabilities
## Executive Summary
Since the discovery of the Mirai variant using the binary name ECHOBOT in May 2019, it has resurfaced from time to time, using new infrastructure, and more remarkably, adding to the list of vulnerabilities it scans for, as a means to increase its attack surface with each evolution.
Unlike other Mirai variants, this particular variant stands out for the sheer number of exploits it incorporates, with the latest version having a total of 71 unique exploits, 13 of which haven’t been seen exploited in the wild until now, ranging from extremely old CVEs from as long back as 2003, to recent vulnerabilities made public as recently as early December 2019. Based on this seemingly odd choice, one could risk a guess that the attackers could potentially be aiming for the sweet sp
http://isc.sans.org/diary.html?storyid=6853http://metasploit.com/svn/framework3/trunk/modules/exploits/linux/http/ddwrt_cgibin_exec.rbhttp://securitytracker.com/id?1022596http://www.dd-wrt.com/http://www.dd-wrt.com/phpBB2/viewtopic.php?t=55173http://www.exploit-db.com/exploits/9209http://www.osvdb.org/55990http://www.securityfocus.com/bid/35742http://www.theregister.co.uk/2009/07/21/critical_ddwrt_router_vuln/http://isc.sans.org/diary.html?storyid=6853http://metasploit.com/svn/framework3/trunk/modules/exploits/linux/http/ddwrt_cgibin_exec.rbhttp://securitytracker.com/id?1022596http://www.dd-wrt.com/http://www.dd-wrt.com/phpBB2/viewtopic.php?t=55173http://www.exploit-db.com/exploits/9209http://www.osvdb.org/55990http://www.securityfocus.com/bid/35742http://www.theregister.co.uk/2009/07/21/critical_ddwrt_router_vuln/
2009-08-14
Published
Exploited in the wild