CVE-2021-47854
Buffer Overflow in DD-WRT UPNP Service Enables Remote Code Execution
Publication date: 2026-01-21
Last updated on: 2026-01-21
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dd-wrt | dd-wrt | to 45724 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-120 | The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2021-47854 is a buffer overflow vulnerability in the Universal Plug and Play (UPnP) service of DD-WRT firmware version 45723 and earlier. It occurs because the firmware copies user-supplied data from UPnP M-SEARCH packets into a fixed-size buffer without proper bounds checking. Specifically, an overly long UUID value in the M-SEARCH request causes the buffer to overflow. This flaw can be exploited by an unauthenticated attacker on the local network by sending a crafted UDP packet with an excessively long UUID string, potentially leading to a crash of the UPnP service or arbitrary code execution on the device. [1, 2, 5]
How can this vulnerability impact me? :
This vulnerability can allow remote attackers on the local network to cause a denial-of-service (DoS) by crashing the UPnP service on affected DD-WRT devices. Additionally, it potentially allows attackers to execute arbitrary code on the device, which could lead to full compromise of the router or access point. This can disrupt network connectivity and compromise the security of the network and connected devices. [1, 2, 5]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by sending a crafted M-SEARCH SSDP UDP packet with an oversized UUID or ST header to the target device's port 1900 and observing if the UPnP service crashes or behaves abnormally. A proof-of-concept Python script is available that sends such a malicious M-SEARCH packet to trigger the buffer overflow. The exploit packet format includes sending a UDP packet to port 1900 with an M-SEARCH request containing an excessively long UUID or ST header string. For example, using netcat or a custom script to send a UDP packet to port 1900 with a payload similar to: ``` M-SEARCH * HTTP/1.1 HOST:239.255.255.250:1900 ST:uuid:DDDD...DDDDAAAA MX:2 MAN:"ssdp:discover" ``` where the ST header contains a long string (e.g., 164 'D' characters plus 4 'A's) can be used to test the vulnerability. Monitoring the device for UPnP service crashes or denial-of-service conditions after sending such packets indicates the presence of the vulnerability. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include disabling the UPnP service on DD-WRT devices if it is enabled, as UPnP is disabled by default and listens only on internal network interfaces. Restricting access to the UPnP service to trusted internal networks can reduce exposure. Additionally, updating the DD-WRT firmware to a version later than change set 45723, such as 45724 or newer, where the vulnerability has been patched, is recommended to fully remediate the issue. [1]