CVE-2021-46441
published 2022-04-27CVE-2021-46441: In the "webupg" binary of D-Link DIR-825 G1, because of the lack of parameter verification, attackers can use "cmd" parameters to execute arbitrary system…
PriorityP269high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
31.79%
98.1th percentile
In the "webupg" binary of D-Link DIR-825 G1, because of the lack of parameter verification, attackers can use "cmd" parameters to execute arbitrary system commands after obtaining authorization.
Detection & IOCsextracted from sources · hover to see the quote
url/cgi-bin/webupg
othername|3d|shell&key|3d|twmode&cmd|3d|
snort
alert http any any -> $HOME_NET any (msg:"ET EXPLOIT D-Link webupg Remote Code Execution Attempt Inbound (CVE 2021-46441, 2021-46442)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:15; content:"/cgi-bin/webupg"; fast_pattern; http.referer; content:"autoupgrade.asp"; endswith; http.request_body; content:"name|3d|shell&key|3d|twmode&cmd|3d|"; reference:url,github.com/tgp-top/D-Link-DIR-825; reference:cve,2021-46441; reference:cve,2021-46442; classtype:attempted-admin; sid:2044009; rev:2; metadata:affected_product IoT, attack_target Networking_Equipment, created_at 2023_01_27, cve CVE_2021_46441, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_26, reviewed_at 2024_09_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
- →Exploit requests use HTTP POST method targeting the exact URI /cgi-bin/webupg (URI length is exactly 15 bytes).
- →Exploit requests include the HTTP Referer header ending with 'autoupgrade.asp', indicating the attack originates from the device's upgrade page flow.
- →The POST body contains the URL-encoded pattern 'name=shell&key=twmode&cmd=' (encoded as name|3d|shell&key|3d|twmode&cmd|3d|), which is the specific parameter structure used to inject arbitrary OS commands via the 'cmd' parameter.
- →The vulnerability resides in the 'webupg' binary of D-Link DIR-825 G1; the 'cmd' parameter lacks input validation, enabling OS command injection post-authentication. ↗
- ·Exploitation requires prior authorization on the D-Link DIR-825 G1 device; unauthenticated exploitation is not indicated by the available sources. ↗
- ·The Snort/Suricata rule (sid:2044009) also covers CVE-2021-46442 with the same signature; detections firing on this rule should be triaged for both CVEs.
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET EXPLOIT D-Link webupg Remote Code Execution Attempt Inbound (CVE 2021-46441, 2021-46442)
suricata·2023-01-27
CVE-2021-46441 ET EXPLOIT D-Link webupg Remote Code Execution Attempt Inbound (CVE 2021-46441, 2021-46442)
ET EXPLOIT D-Link webupg Remote Code Execution Attempt Inbound (CVE 2021-46441, 2021-46442)
Rule: alert http any any -> $HOME_NET any (msg:"ET EXPLOIT D-Link webupg Remote Code Execution Attempt Inbound (CVE 2021-46441, 2021-46442)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:15; content:"/cgi-bin/webupg"; fast_pattern; http.referer; content:"autoupgrade.asp"; endswith; http.request_body; content:"name|3d|shell&key|3d|twmode&cmd|3d|"; reference:url,github.com/tgp-top/D-Link-DIR-825; reference:cve,2021-46441; reference:cve,2021-46442; classtype:attempted-admin; sid:2044009; rev:2; metadata:affected_product IoT, attack_target Networking_Equipment, created_at 2023_01_27, cve CVE_2021_46441, deployment Perimeter, deployment Internal, deployment SSLDecrypt, perfor
No public exploits indexed.
No writeups or analysis indexed.
2022-04-27
Published