D-Link Multiple Routers Remote Code Execution Vulnerability (CVE-2021-45382)
A remote code execution vulnerability exists in all series H/W revisions routers via the DDNS function in ncc2 binary file.
A remote attacker, without authentication, can achieve full data confidentiality loss, arbitrary modification of data, complete denial of service or system unavailability. Federal agencies are required to remediate by 2022-04-25 under CISA BOD 22-01.
This is a OS Command Injection (CWE-78) vulnerability in D-Link Multiple Routers. A Remote Command Execution (RCE) vulnerability exists in all series H/W revisions D-link DIR-810L, DIR-820L/LW, DIR-826L, DIR-830L, and DIR-836L routers via the DDNS function in ncc2 binary file. Note: DIR-810L, DIR-820L, DIR-830L, DIR-826L, DIR-836L, all hardware revisions, have reached their End of Life ("EOL") /End of Service Life ("EOS") Life-Cycle and as such this issue will not be patched. Exploitation requires remote network access, low attack complexity, no authentication required, and no user interaction required.
📧
Phishing link
🖼
Malicious file
🔓
Server compromised
Probably yes if any of these apply:
Active exploitation documented in the wild. Threat-research write-up: https://github.com/doudoudedi/D-LINK_Command_Injection1/blob/main/D-LINK_Command_injection.md
Manual remediation steps
No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.