← Back to Feed CACHED · 2026-05-17 09:42:19 · cache_key CVE-2025-29912
CVE-2021-27137 · CWE-120 · Disclosed 2021-03-24

DD-WRT UPnP SSDP `uuid` buffer overflow in M-SEARCH handling

ASSESSED — NOISGATE V0.5
Vendor
Reassessed
Verdict:
01 · The Real Story

This is a loaded mousetrap hidden behind an interior door, not a grenade in the lobby

CVE-2021-27137 is a buffer overflow in DD-WRT's UPnP/SSDP handling: a crafted M-SEARCH request with an oversized uuid/ST value can smash an internal buffer and potentially lead to code execution on the router. The SSD Secure Disclosure advisory says affected builds are DD-WRT changeset 45723 or earlier, and it explicitly warns that Buffalo devices shipping with DD-WRT should be treated as affected too. DD-WRT fixed it in changeset 45724.

In a vacuum this smells like a router RCE and people will want to slap a 9.8 on it. In the real world, that overstates enterprise risk because the vendor-side writeup says UPnP is disabled by default and listens on internal interfaces, so the usual attacker position is already on the LAN or benefiting from a bad edge exposure decision. That said, FortiGuard reported botnet exploitation on June 3, 2026, so this is not lab-only anymore; that active-use signal pulls it back up to HIGH.

"Root on a router matters, but default-off UPnP and LAN reachability requirements keep this below CRITICAL"
02 · The Attack Path

4 steps from start to impact.

STEP 01

Reach the SSDP listener

The attacker first needs packet reachability to DD-WRT's UPnP service, typically UDP/1900. Per SSD's advisory, DD-WRT normally keeps UPnP disabled by default and bound to internal interfaces, so the common path is LAN adjacency or a router that has UPnP enabled and exposed more broadly than intended.
Conditions required:
  • Target is running DD-WRT changeset 45723 or earlier
  • UPnP service is enabled
  • Attacker can reach UDP/1900 on the device
Where this breaks in practice:
  • UPnP is disabled by default according to the disclosure
  • Typical enterprise routers are not DD-WRT in the first place
  • Many deployments do not expose SSDP off-LAN
Detection/coverage: Network controls can see this stage well if you watch UDP/1900. FortiGuard publishes IPS signature 56117, SonicWall has signature 15489, and ET rule packs include ET EXPLOIT DD-WRT UPNP Unauthenticated Buffer Overflow (CVE-2021-27137).
STEP 02

Trigger the overflow with crafted M-SEARCH

Using the public SSD advisory details or Exploit-DB-referenced PoC material, the attacker sends malformed M-SEARCH traffic carrying an oversized uuid/ST value. The vulnerable parser copies attacker-controlled data into a fixed-size buffer without sufficient bounds checking, producing a stack overflow condition.
Conditions required:
  • Attacker can send arbitrary SSDP discovery packets
  • Device is processing UPnP discovery requests
Where this breaks in practice:
  • Malformed SSDP bursts can stand out in packet captures
  • Some devices may crash before reliable control is achieved
Detection/coverage: IDS/IPS coverage is decent because the packet pattern is specific. Signature-based inspection is much better here than host EDR, since the target is a small router OS.
STEP 03

Convert memory corruption into execution

Impact depends on platform details, compiler choices, and runtime mitigations. SSD explicitly notes exploitability can vary by platform because protections like ASLR may or may not be present, so this is not guaranteed one-shot RCE across every supported router image.
Conditions required:
  • Target hardware/firmware combination is reliably exploitable
  • Attacker has offsets or technique that fits the device family
Where this breaks in practice:
  • Exploit reliability is hardware-specific
  • ASLR and related mitigations can turn RCE into crash-only behavior
  • DD-WRT runs on many router models, increasing exploit engineering cost
Detection/coverage: Host-native telemetry is usually poor on embedded routers. In practice you detect this via crash/reboot events, anomalous outbound traffic, or upstream IPS hits.
STEP 04

Own the router and pivot

Successful exploitation gives the attacker control of a high-value network choke point. From there they can implant botnet malware, redirect traffic, tamper with DNS/NAT behavior, observe internal flows, or use the device as a staging point for further internal abuse.
Conditions required:
  • Successful code execution on the router
  • Ability to persist or re-access the device
Where this breaks in practice:
  • Some devices have limited storage and unstable persistence options
  • Operational noise from router instability can trigger investigation
Detection/coverage: Watch for unexpected outbound scans, DNS changes, cron/startup tampering, hidden binaries under /tmp, and sudden reboots. FortiGuard's June 3, 2026 writeup shows real botnet post-exploitation behavior defenders can hunt for.
03 · Intelligence Metadata

The supporting signals.

In-the-wild statusNo CISA KEV listing was provided and I did not find this CVE in the public KEV catalog, but FortiGuard Labs reported active exploitation on June 3, 2026 by the Gafgyt variant C0XMO against a Japanese technology firm.
Public exploit / PoCThe original SSD Secure Disclosure post includes technical analysis and packet structure; NVD's later DD-WRT record CVE-2021-47854 references Exploit-DB 49730 for the same DD-WRT UPnP overflow pattern.
EPSSI could not validate a FIRST EPSS score specific to CVE-2021-27137 from reviewed accessible sources. Given the sparse CVE metadata, observed exploitation is more useful than EPSS here.
Affected versionsDD-WRT changeset 45723 or earlier; SSD also says Buffalo devices shipping with DD-WRT should be considered vulnerable.
Fixed versionVendor response in the SSD advisory points to DD-WRT changeset 45724 as the fix.
Exposure realityThe most important friction: UPnP is disabled by default and only listens on internal interfaces according to SSD. In enterprise terms, that usually means post-initial-access / internal-adjacent, unless someone exposed SSDP badly.
Detection coverageFortiGuard IPS 56117, SonicWall signature 15489, and ET rule coverage are all available, which materially helps defenders spot scanning and weaponization attempts on UDP/1900.
Disclosure timelinePublicly disclosed by SSD Secure Disclosure on 2021-03-24. A later, separate NVD entry for closely matching DD-WRT issue details, CVE-2021-47854, was added on 2026-01-21 by VulnCheck.
Researchers / lineageInitial credit goes to Selim Enes Karaduman via SSD. Q. Kaiser / IoT Inspector / ONEKEY later tied the bug class to a longer-lived Broadcom SDK supply-chain issue affecting DD-WRT, Cisco, and others.
CVSS contextThere is no authoritative vendor/CNA CVSS baseline for CVE-2021-27137 in the original disclosure flow. A later VulnCheck-issued NVD record (CVE-2021-47854) scores the equivalent flaw at 9.8, but that is not a valid vendor baseline for your requested compare/no-compare decision.
04 · The Call

noisgate verdict.

Final Verdict
= UNCHANGED to HIGH (7.7/10)

The decisive factor is that this has real exploitation evidence, not just theoretical router-RCE optics. But the path is still meaningfully narrowed by UPnP being default-off and usually LAN-reachable only, which keeps this out of CRITICAL for a 10,000-host enterprise program.

HIGH Affected build range and fixed build (`45723` and earlier, fixed in `45724`)
HIGH Primary friction: UPnP default-off and internal-interface reachability from the SSD disclosure
MEDIUM Breadth of current internet exposure and prevalence across enterprise fleets
MEDIUM Equivalence between sparse original CVE data and the later VulnCheck/NVD duplicate-style record

Why this verdict

  • Started high on impact: if exploitation lands, the attacker is on the router, which is a privileged network pivot with outsized blast radius compared to an ordinary endpoint bug.
  • Downgraded for attacker position: SSD says UPnP is disabled by default and bound to internal interfaces, which usually means the attacker needs internal network reachability or a prior exposure mistake. That is real-world downward pressure because it often implies post-initial-access, not clean internet-first compromise.
  • Pulled back up for exploitation evidence: FortiGuard documented botnet use of this CVE on 2026-06-03. That pushes the issue above MEDIUM even though the reachable population is narrower than the raw bug class suggests.

Why not higher?

This is not CRITICAL because the exploit chain is not broadly frictionless across enterprise reality. The combination of default-off service, likely LAN adjacency requirement, and hardware-specific exploit reliability means the reachable population is much smaller than a classic internet-facing server RCE.

Why not lower?

This is not LOW or IGNORE because successful exploitation compromises a router, not a low-value userland process. There is also public technical detail, IDS/IPS coverage, and now exploitation evidence, so treating it as mere backlog hygiene would understate the operational risk for any fleet that still has DD-WRT in scope.

05 · Compensating Control

What to do — in priority order.

  1. Disable UPnP now — If you cannot confirm a fixed build immediately, shut off the vulnerable service path by setting upnp_enable=0 and validating the daemon is no longer listening. Because there is active exploitation evidence, do this immediately, within hours, not on a normal HIGH schedule.
  2. Block UDP/1900 to router management planes — Use ACLs/firewall policy to prevent SSDP/UPnP discovery traffic from untrusted segments from ever reaching DD-WRT devices. For exposed, guest, lab, or branch networks, deploy this immediately, within hours as the fastest blast-radius reduction.
  3. Hunt for compromised routers — Review network telemetry for malformed or high-volume M-SEARCH traffic, unexpected outbound scans, sudden DNS/NAT changes, hidden payloads under /tmp, and abnormal reboots. Because botnet tradecraft is public, start the hunt immediately, within hours.
  4. Replace or reflash stragglers — Move any surviving DD-WRT devices to changeset 45724 or later, or replace them if they are unmanaged or unsupported. With active exploitation evidence, prioritize exposed and branch-edge gear first and begin execution immediately, within hours.
What doesn't work
  • Endpoint EDR on user workstations does nothing for the vulnerable code path on the router itself.
  • MFA does nothing here because the attack lands on an unauthenticated discovery service, not a login flow.
  • Relying on 'it's not in KEV' is false comfort; KEV absence does not negate active exploitation evidence from threat research.
  • Turning off only remote web administration is not enough; the vulnerable surface is UPnP/SSDP on UDP/1900.
06 · Verification

Crowdsourced verification payload.

Run this on the DD-WRT device itself over SSH or serial/Telnet as root. Example: scp check_cve_2021_27137.sh [email protected]:/tmp/ && ssh [email protected] 'sh /tmp/check_cve_2021_27137.sh'. It needs root because it reads NVRAM and local process/listener state.

noisgate-verify.sh
BASHREAD-ONLYSAFE
#!/bin/sh
# check_cve_2021_27137.sh
# Purpose: determine whether a DD-WRT device is likely affected by CVE-2021-27137
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN

THRESHOLD=45723
TMPFILE="/tmp/cve_2021_27137_check.$$"
trap 'rm -f "$TMPFILE"' EXIT

say() {
  echo "$1"
}

have_cmd() {
  command -v "$1" >/dev/null 2>&1
}

# Gather candidate text from common DD-WRT locations.
{
  echo "=== /etc/banner ==="
  [ -r /etc/banner ] && cat /etc/banner
  echo
  echo "=== uname -a ==="
  uname -a 2>/dev/null
  echo
  echo "=== nvram keys ==="
  if have_cmd nvram; then
    nvram get os_version 2>/dev/null
    nvram get os_date 2>/dev/null
    nvram get router_name 2>/dev/null
    nvram get upnp_enable 2>/dev/null | sed 's/^/upnp_enable=/'
    nvram show 2>/dev/null | grep -E '^(os_version|os_date|router_name|upnp_enable)=' 2>/dev/null
  fi
} > "$TMPFILE"

# Basic product sanity check.
if ! grep -qi 'dd-wrt' "$TMPFILE"; then
  say "UNKNOWN: could not positively identify DD-WRT from local banner/NVRAM"
  exit 2
fi

# Extract revision/build numbers from typical strings such as:
#   DD-WRT v3.0-r45723 std
#   SVN revision 45723
REV=$(grep -Eoi 'r[0-9]{5,6}|SVN revision[[:space:]]+[0-9]{5,6}' "$TMPFILE" | head -n 1 | sed -E 's/^r//I; s/^SVN revision[[:space:]]+//I')

if [ -z "$REV" ]; then
  # Fallback: pick a 5-6 digit number near dd-wrt strings if present.
  REV=$(grep -Eoi '[0-9]{5,6}' "$TMPFILE" | head -n 1)
fi

UPNP_STATE="unknown"
if have_cmd nvram; then
  UPNP_RAW=$(nvram get upnp_enable 2>/dev/null)
  case "$UPNP_RAW" in
    1|on|enabled|true|TRUE) UPNP_STATE="enabled" ;;
    0|off|disabled|false|FALSE) UPNP_STATE="disabled" ;;
    *) UPNP_STATE="unknown" ;;
  esac
fi

PROC_STATE="not-seen"
if ps 2>/dev/null | grep -E 'miniupnpd|upnp' | grep -v grep >/dev/null 2>&1; then
  PROC_STATE="running"
fi

LISTEN_STATE="unknown"
if have_cmd netstat; then
  if netstat -anu 2>/dev/null | grep -E '[:.]1900[[:space:]]' >/dev/null 2>&1; then
    LISTEN_STATE="udp1900-listening"
  else
    LISTEN_STATE="no-udp1900-listener-seen"
  fi
fi

if [ -z "$REV" ]; then
  say "UNKNOWN: DD-WRT detected but build/revision could not be parsed"
  say "DETAILS: upnp=$UPNP_STATE process=$PROC_STATE listener=$LISTEN_STATE"
  exit 2
fi

if [ "$REV" -le "$THRESHOLD" ] 2>/dev/null; then
  say "VULNERABLE: DD-WRT revision $REV is <= $THRESHOLD"
  say "DETAILS: upnp=$UPNP_STATE process=$PROC_STATE listener=$LISTEN_STATE fixed-build=45724+"
  exit 1
fi

say "PATCHED: DD-WRT revision $REV is > $THRESHOLD"
say "DETAILS: upnp=$UPNP_STATE process=$PROC_STATE listener=$LISTEN_STATE"
exit 0
07 · Bottom Line

If you remember one thing.

TL;DR
Monday morning: identify every DD-WRT asset, especially branch, lab, OT, guest-network, and MSP-managed routers; then patch / mitigate immediately, within hours because there is active exploitation evidence, overriding the normal HIGH timing under the noisgate mitigation SLA. If you find build 45723 or earlier, disable UPnP and block untrusted UDP/1900 reachability immediately, then move to changeset 45724 or later; formally you still have up to 180 days under the noisgate remediation SLA, but any internet-exposed or business-critical edge router should be treated as same-day patch or replacement work, not something you leave for the long window.

Sources

  1. SSD Secure Disclosure advisory
  2. ONEKEY / IoT Inspector Broadcom SDK research
  3. FortiGuard Labs exploitation report
  4. SonicWall IPS signature 15489
  5. ET/IPFire signature pack evidence
  6. NVD later DD-WRT record CVE-2021-47854
  7. CISA Known Exploited Vulnerabilities Catalog
  8. Seebug mirror preserving vendor response details
Peer Review

What defenders are saying.

Submit a review attribution: handle + country only
0 flags selected · stored anonymously
Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.