cbcvebase.
CVE-2021-46441
published 2022-04-27

CVE-2021-46441: In the "webupg" binary of D-Link DIR-825 G1, because of the lack of parameter verification, attackers can use "cmd" parameters to execute arbitrary system…

PriorityP269high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
31.79%
98.1th percentile
In the "webupg" binary of D-Link DIR-825 G1, because of the lack of parameter verification, attackers can use "cmd" parameters to execute arbitrary system commands after obtaining authorization.

Detection & IOCsextracted from sources · hover to see the quote

url/cgi-bin/webupg
othername|3d|shell&key|3d|twmode&cmd|3d|
snort
alert http any any -> $HOME_NET any (msg:"ET EXPLOIT D-Link webupg Remote Code Execution Attempt Inbound (CVE 2021-46441, 2021-46442)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:15; content:"/cgi-bin/webupg"; fast_pattern; http.referer; content:"autoupgrade.asp"; endswith; http.request_body; content:"name|3d|shell&key|3d|twmode&cmd|3d|"; reference:url,github.com/tgp-top/D-Link-DIR-825; reference:cve,2021-46441; reference:cve,2021-46442; classtype:attempted-admin; sid:2044009; rev:2; metadata:affected_product IoT, attack_target Networking_Equipment, created_at 2023_01_27, cve CVE_2021_46441, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_26, reviewed_at 2024_09_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
  • Exploit requests use HTTP POST method targeting the exact URI /cgi-bin/webupg (URI length is exactly 15 bytes).
  • Exploit requests include the HTTP Referer header ending with 'autoupgrade.asp', indicating the attack originates from the device's upgrade page flow.
  • The POST body contains the URL-encoded pattern 'name=shell&key=twmode&cmd=' (encoded as name|3d|shell&key|3d|twmode&cmd|3d|), which is the specific parameter structure used to inject arbitrary OS commands via the 'cmd' parameter.
  • The vulnerability resides in the 'webupg' binary of D-Link DIR-825 G1; the 'cmd' parameter lacks input validation, enabling OS command injection post-authentication.
  • ·Exploitation requires prior authorization on the D-Link DIR-825 G1 device; unauthenticated exploitation is not indicated by the available sources.
  • ·The Snort/Suricata rule (sid:2044009) also covers CVE-2021-46442 with the same signature; detections firing on this rule should be triaged for both CVEs.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.