CVE-2021-27137 in DD-WRTinfo

Summary

by MITRE • 07/16/2026

An issue was discovered in router/upnp/src/ssdp.c in DD-WRT before 45724. An unsafe strcpy in the UPnP handling functionality allows an unauthenticated remote attacker to send a request that would overflow an internal fixed buffer. Exploitation requires the DD-WRT user to enable UPnP (which is off by default, and only listens on internal interfaces by default). This occurs in ssdp_msearch (reachable by an M-SEARCH request).

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 07/16/2026

This vulnerability exists within the Universal Plug and Play implementation of DD-WRT firmware versions prior to 45724 where a classic buffer overflow flaw resides in the router/upnp/src/ssdp.c file. The specific issue occurs in the ssdp_msearch function which processes M-SEARCH requests that are part of the SSDP (Simple Service Discovery Protocol) implementation used by UPnP devices to discover services on local networks. The vulnerability stems from an unsafe use of the strcpy function without proper bounds checking, creating a classic stack-based buffer overflow condition that can be exploited remotely.

The technical execution of this vulnerability requires an attacker to send a specially crafted M-SEARCH request to the UPnP service endpoint, which operates on port 1900 UDP by default. While UPnP is disabled by default in DD-WRT installations and only listens on internal interfaces, attackers who have gained access to the local network or have already compromised other system components could potentially leverage this vulnerability. The buffer overflow occurs when processing incoming UPnP discovery requests that contain oversized strings in specific headers, allowing an attacker to overwrite adjacent memory locations and potentially execute arbitrary code with the privileges of the UPnP service process.

This vulnerability aligns with CWE-121 Stack-based Buffer Overflow and represents a significant security risk within embedded networking systems where remote code execution capabilities could be achieved. The attack vector follows ATT&CK technique T1068 for locally executed commands and T1071.004 for application layer protocols, particularly focusing on service discovery protocols that are commonly targeted in network reconnaissance activities. The impact extends beyond simple denial of service as the buffer overflow could potentially allow privilege escalation or complete system compromise depending on memory layout and process permissions.

The operational risk is elevated when considering that many users disable UPnP security features without fully understanding the implications, creating an attack surface that may not be properly secured. Network administrators should verify that UPnP is disabled unless explicitly required for legitimate network services, as this vulnerability demonstrates how seemingly innocuous network protocols can become entry points for more sophisticated attacks. The fix implemented in DD-WRT version 45724 involves proper bounds checking and use of safer string handling functions to prevent the buffer overflow condition from occurring.

Mitigation strategies include immediate firmware updates to versions 45724 or later, disabling UPnP functionality on devices where it is not required, and implementing network segmentation to limit access to UPnP service endpoints. Security monitoring should focus on detecting unusual M-SEARCH request patterns and potential exploitation attempts targeting UPnP services. Organizations should also consider implementing network access controls that restrict UPnP traffic to trusted internal segments only, as the default configuration of listening only on internal interfaces provides some protection against external attacks but not against internal compromise scenarios.

Responsible

MITRE

Reservation

02/10/2021

Disclosure

07/16/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!