CVE-2021-47854
Unknown Unknown - Not Provided
Buffer Overflow in DD-WRT UPNP Service Enables Remote Code Execution

Publication date: 2026-01-21

Last updated on: 2026-01-21

Assigner: VulnCheck

Description
DD-WRT version 45723 contains a buffer overflow vulnerability in the UPNP network discovery service that allows remote attackers to potentially execute arbitrary code. Attackers can send crafted M-SEARCH packets with oversized UUID payloads to trigger buffer overflow conditions on the target device.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-21
Last Modified
2026-01-21
Generated
2026-06-16
AI Q&A
2026-01-21
EPSS Evaluated
2026-06-15
NVD
CVE-2021-47854
EUVD
EUVD-2026-3629
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
dd-wrt dd-wrt to 45724 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-120 The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2021-47854 is a buffer overflow vulnerability in the Universal Plug and Play (UPnP) service of DD-WRT firmware version 45723 and earlier. It occurs because the firmware copies user-supplied data from UPnP M-SEARCH packets into a fixed-size buffer without proper bounds checking. Specifically, an overly long UUID value in the M-SEARCH request causes the buffer to overflow. This flaw can be exploited by an unauthenticated attacker on the local network by sending a crafted UDP packet with an excessively long UUID string, potentially leading to a crash of the UPnP service or arbitrary code execution on the device. [1, 2, 5]

Impact Analysis

This vulnerability can allow remote attackers on the local network to cause a denial-of-service (DoS) by crashing the UPnP service on affected DD-WRT devices. Additionally, it potentially allows attackers to execute arbitrary code on the device, which could lead to full compromise of the router or access point. This can disrupt network connectivity and compromise the security of the network and connected devices. [1, 2, 5]

Detection Guidance

This vulnerability can be detected by sending a crafted M-SEARCH SSDP UDP packet with an oversized UUID or ST header to the target device's port 1900 and observing if the UPnP service crashes or behaves abnormally. A proof-of-concept Python script is available that sends such a malicious M-SEARCH packet to trigger the buffer overflow. The exploit packet format includes sending a UDP packet to port 1900 with an M-SEARCH request containing an excessively long UUID or ST header string. For example, using netcat or a custom script to send a UDP packet to port 1900 with a payload similar to: ``` M-SEARCH * HTTP/1.1 HOST:239.255.255.250:1900 ST:uuid:DDDD...DDDDAAAA MX:2 MAN:"ssdp:discover" ``` where the ST header contains a long string (e.g., 164 'D' characters plus 4 'A's) can be used to test the vulnerability. Monitoring the device for UPnP service crashes or denial-of-service conditions after sending such packets indicates the presence of the vulnerability. [1, 2]

Mitigation Strategies

Immediate mitigation steps include disabling the UPnP service on DD-WRT devices if it is enabled, as UPnP is disabled by default and listens only on internal network interfaces. Restricting access to the UPnP service to trusted internal networks can reduce exposure. Additionally, updating the DD-WRT firmware to a version later than change set 45723, such as 45724 or newer, where the vulnerability has been patched, is recommended to fully remediate the issue. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2021-47854. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart