CVE-2021-46442
published 2022-04-27CVE-2021-46442: In the "webupg" binary of D-Link DIR-825 G1, attackers can bypass authentication through parameters "autoupgrade.asp", and perform functions such as…
PriorityP190critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
54.57%
98.9th percentile
In the "webupg" binary of D-Link DIR-825 G1, attackers can bypass authentication through parameters "autoupgrade.asp", and perform functions such as downloading configuration files and updating firmware without authorization.
Detection & IOCsextracted from sources · hover to see the quote
url/cgi-bin/webupg
path/cgi-bin/webupg
commandname|3d|shell&key|3d|twmode&cmd|3d|
snort
alert http any any -> $HOME_NET any (msg:"ET EXPLOIT D-Link webupg Remote Code Execution Attempt Inbound (CVE 2021-46441, 2021-46442)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:15; content:"/cgi-bin/webupg"; fast_pattern; http.referer; content:"autoupgrade.asp"; endswith; http.request_body; content:"name|3d|shell&key|3d|twmode&cmd|3d|"; reference:url,github.com/tgp-top/D-Link-DIR-825; reference:cve,2021-46441; reference:cve,2021-46442; classtype:attempted-admin; sid:2044009; rev:2; metadata:affected_product IoT, attack_target Networking_Equipment, created_at 2023_01_27, cve CVE_2021_46441, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_26, reviewed_at 2024_09_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
- →Exploit requests use HTTP POST method targeting the exact URI /cgi-bin/webupg (URI length is exactly 15 bytes)
- →Exploit requests include the HTTP Referer header ending with 'autoupgrade.asp', used to bypass authentication in the webupg binary
- →POST body contains the encoded parameter string 'name=shell&key=twmode&cmd=' (URL-encoded as name|3d|shell&key|3d|twmode&cmd|3d|), indicating command injection attempt
- →Targeted device is D-Link DIR-825 G1; the vulnerable binary is 'webupg'; unauthenticated access allows firmware update and config file download ↗
- ·The Snort/Suricata rule (sid:2044009) also covers CVE-2021-46441 in addition to CVE-2021-46442; detections will fire for both CVEs simultaneously
- ·Rule is recommended for Perimeter, Internal, and SSLDecrypt deployment contexts; SSL inspection is required to detect this exploit over HTTPS
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-8jv6-jjxw-75rx: In the "webupg" binary of D-Link DIR-825 G1, attackers can bypass authentication through parameters "autoupgrade
ghsa_unreviewed·2022-04-28
CVE-2021-46442 [CRITICAL] GHSA-8jv6-jjxw-75rx: In the "webupg" binary of D-Link DIR-825 G1, attackers can bypass authentication through parameters "autoupgrade
In the "webupg" binary of D-Link DIR-825 G1, attackers can bypass authentication through parameters "autoupgrade.asp", and perform functions such as downloading configuration files and updating firmware without authorization.
VulnCheck
D-Link DIR-825 R1 Devices Improper Authentication
vulncheck·2021·CVSS 9.8
CVE-2021-46442 [CRITICAL] D-Link DIR-825 R1 Devices Improper Authentication
D-Link DIR-825 R1 Devices Improper Authentication
In the "webupg" binary of D-Link DIR-825 G1, attackers can bypass authentication through parameters "autoupgrade.asp", and perform functions such as downloading configuration files and updating firmware without authorization.
Affected: D-Link DIR-825 R1 Devices
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-14&host_type=src&vulnerability=cve-2021-46442; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-01-06&host_type=src&vulnerability=cve-2021-46442; https://dashboard.shadowserver.org/st
Suricata
ET EXPLOIT D-Link webupg Remote Code Execution Attempt Inbound (CVE 2021-46441, 2021-46442)
suricata·2023-01-27
CVE-2021-46441 ET EXPLOIT D-Link webupg Remote Code Execution Attempt Inbound (CVE 2021-46441, 2021-46442)
ET EXPLOIT D-Link webupg Remote Code Execution Attempt Inbound (CVE 2021-46441, 2021-46442)
Rule: alert http any any -> $HOME_NET any (msg:"ET EXPLOIT D-Link webupg Remote Code Execution Attempt Inbound (CVE 2021-46441, 2021-46442)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:15; content:"/cgi-bin/webupg"; fast_pattern; http.referer; content:"autoupgrade.asp"; endswith; http.request_body; content:"name|3d|shell&key|3d|twmode&cmd|3d|"; reference:url,github.com/tgp-top/D-Link-DIR-825; reference:cve,2021-46441; reference:cve,2021-46442; classtype:attempted-admin; sid:2044009; rev:2; metadata:affected_product IoT, attack_target Networking_Equipment, created_at 2023_01_27, cve CVE_2021_46441, deployment Perimeter, deployment Internal, deployment SSLDecrypt, perfor
No public exploits indexed.
No writeups or analysis indexed.
2022-04-27
Published
Exploited in the wild