CVE-2021-27137
Received Received - Intake

Buffer Overflow in DD-WRT UPnP SSDP Handling

Vulnerability report for CVE-2021-27137, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-16

Last updated on: 2026-07-16

Assigner: MITRE

Description

An issue was discovered in router/upnp/src/ssdp.c in DD-WRT before 45724. An unsafe strcpy in the UPnP handling functionality allows an unauthenticated remote attacker to send a request that would overflow an internal fixed buffer. Exploitation requires the DD-WRT user to enable UPnP (which is off by default, and only listens on internal interfaces by default). This occurs in ssdp_msearch (reachable by an M-SEARCH request).

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-16
Last Modified
2026-07-16
Generated
2026-07-16
AI Q&A
2026-07-16
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
dd-wrt dd-wrt 45724
dd-wrt dd-wrt to 45724 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-121 A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2021-27137 is a buffer overflow vulnerability in DD-WRT router firmware's UPnP service. It occurs when user-supplied data from UPnP packets is copied into a fixed-size buffer without proper bounds checking. An attacker can send a crafted UDP packet with an overly long UUID string in an M-SEARCH request, causing the buffer to overflow. This flaw is located in the ssdp.c source file and can lead to arbitrary code execution if UPnP is enabled.

Detection Guidance
  • Check if UPnP is enabled on your DD-WRT device by accessing the admin interface and reviewing UPnP settings.
  • Monitor network traffic for unusual UDP packets sent to port 1900, which may indicate exploitation attempts.
  • Use a packet sniffer like tcpdump to capture traffic on port 1900: tcpdump -i any udp port 1900 -v.
  • Inspect system logs for crashes or errors in the UPnP service, which may suggest a buffer overflow event.
  • Verify the DD-WRT firmware version; versions with change set 45723 or earlier are vulnerable.
Impact Analysis

This vulnerability allows unauthenticated remote attackers to execute arbitrary code on vulnerable DD-WRT devices. Exploitation can lead to device compromise, malware installation like the C0XMO botnet, lateral movement within networks, termination of rival malware, and participation in DDoS attacks. Attackers can also brute-force weak credentials on other systems and deploy additional malicious payloads.

Mitigation Strategies
  • Disable UPnP on your DD-WRT device if not required, as it is off by default and listens only on internal interfaces.
  • Update DD-WRT firmware to change set 45724 or later to patch the buffer overflow vulnerability.
  • Disable unnecessary services like Telnet and SSH to reduce attack surfaces.
  • Enforce strong, unique credentials for router access and disable remote administration.
  • Monitor network traffic for signs of exploitation or botnet activity, such as unusual outbound connections.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2021-27137. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart