cbcvebase.
CVE-2021-46442
published 2022-04-27

CVE-2021-46442: In the "webupg" binary of D-Link DIR-825 G1, attackers can bypass authentication through parameters "autoupgrade.asp", and perform functions such as…

PriorityP190critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
54.57%
98.9th percentile
In the "webupg" binary of D-Link DIR-825 G1, attackers can bypass authentication through parameters "autoupgrade.asp", and perform functions such as downloading configuration files and updating firmware without authorization.

Detection & IOCsextracted from sources · hover to see the quote

url/cgi-bin/webupg
path/cgi-bin/webupg
commandname|3d|shell&key|3d|twmode&cmd|3d|
snort
alert http any any -> $HOME_NET any (msg:"ET EXPLOIT D-Link webupg Remote Code Execution Attempt Inbound (CVE 2021-46441, 2021-46442)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:15; content:"/cgi-bin/webupg"; fast_pattern; http.referer; content:"autoupgrade.asp"; endswith; http.request_body; content:"name|3d|shell&key|3d|twmode&cmd|3d|"; reference:url,github.com/tgp-top/D-Link-DIR-825; reference:cve,2021-46441; reference:cve,2021-46442; classtype:attempted-admin; sid:2044009; rev:2; metadata:affected_product IoT, attack_target Networking_Equipment, created_at 2023_01_27, cve CVE_2021_46441, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_26, reviewed_at 2024_09_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
  • Exploit requests use HTTP POST method targeting the exact URI /cgi-bin/webupg (URI length is exactly 15 bytes)
  • Exploit requests include the HTTP Referer header ending with 'autoupgrade.asp', used to bypass authentication in the webupg binary
  • POST body contains the encoded parameter string 'name=shell&key=twmode&cmd=' (URL-encoded as name|3d|shell&key|3d|twmode&cmd|3d|), indicating command injection attempt
  • Targeted device is D-Link DIR-825 G1; the vulnerable binary is 'webupg'; unauthenticated access allows firmware update and config file download
  • ·The Snort/Suricata rule (sid:2044009) also covers CVE-2021-46441 in addition to CVE-2021-46442; detections will fire for both CVEs simultaneously
  • ·Rule is recommended for Perimeter, Internal, and SSLDecrypt deployment contexts; SSL inspection is required to detect this exploit over HTTPS

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.