CVE-2021-47854 Overview
CVE-2021-47854 is a buffer overflow vulnerability affecting DD-WRT version 45723 in the UPNP (Universal Plug and Play) network discovery service. This vulnerability allows remote attackers to potentially execute arbitrary code on affected devices by sending specially crafted M-SEARCH packets containing oversized UUID payloads. The vulnerability exists due to improper input validation when processing UPNP discovery requests, which can trigger buffer overflow conditions on target devices.
Critical Impact
Remote attackers can exploit this vulnerability without authentication to potentially achieve arbitrary code execution on DD-WRT routers, compromising network infrastructure and enabling further lateral movement.
Affected Products
- DD-WRT firmware version 45723
- DD-WRT devices with UPNP service enabled
- Routers running vulnerable DD-WRT builds from 2021
Discovery Timeline
- 2026-01-21 - CVE-2021-47854 published to NVD
- 2026-01-21 - Last updated in NVD database
Technical Details for CVE-2021-47854
Vulnerability Analysis
This buffer overflow vulnerability (CWE-120: Buffer Copy without Checking Size of Input) exists in the UPNP network discovery service implementation within DD-WRT firmware. The vulnerability is network-accessible, requiring no authentication or user interaction to exploit. When the UPNP service processes incoming M-SEARCH discovery packets, it fails to properly validate the length of UUID field data before copying it into a fixed-size buffer.
The exploitation mechanism involves sending malicious M-SEARCH packets to the UPNP service, which typically listens on UDP port 1900. By including an oversized UUID payload in these packets, an attacker can overflow the destination buffer, potentially overwriting adjacent memory regions including return addresses or function pointers. This can lead to denial of service conditions or, in more sophisticated attacks, arbitrary code execution with the privileges of the UPNP service.
Root Cause
The root cause of CVE-2021-47854 is a classic buffer copy operation that does not verify the size of the input before writing to a destination buffer. The UPNP service in DD-WRT version 45723 allocates a fixed-size buffer to store UUID data extracted from incoming M-SEARCH requests. When processing the UUID field from discovery packets, the code performs an unbounded copy operation, allowing attacker-controlled data to exceed buffer boundaries and corrupt adjacent memory.
Attack Vector
The attack vector for this vulnerability is network-based, allowing remote exploitation. An attacker positioned on the same network segment, or in some cases from the WAN interface if UPNP is externally exposed, can craft malicious SSDP M-SEARCH packets. The attack flow involves:
- Identifying a target device running vulnerable DD-WRT firmware with UPNP enabled
- Sending crafted M-SEARCH packets to UDP port 1900 containing oversized UUID payloads
- The vulnerable UPNP service processes the packet without proper bounds checking
- Buffer overflow occurs, potentially corrupting memory and enabling code execution
The vulnerability has been documented in the SSD Advisory on DD-WRT and a proof-of-concept exploit is available via Exploit-DB #49730. Administrators should review the VulnCheck Advisory for DD-WRT for additional technical details.
Detection Methods for CVE-2021-47854
Indicators of Compromise
- Unusual or malformed SSDP/UPNP traffic on UDP port 1900 with abnormally large packet sizes
- Router crashes, unexpected reboots, or unresponsive UPNP service
- Network traffic containing M-SEARCH requests with UUID fields exceeding normal length (typically >128 bytes)
- Signs of unauthorized access or configuration changes on DD-WRT devices
Detection Strategies
- Deploy network intrusion detection systems (IDS) with rules to identify oversized SSDP M-SEARCH packets
- Monitor for anomalous UDP traffic patterns targeting port 1900 on internal network devices
- Implement deep packet inspection to detect malformed UPNP discovery requests
- Configure logging on DD-WRT devices to capture UPNP service errors and crashes
Monitoring Recommendations
- Establish baseline UPNP traffic patterns and alert on significant deviations
- Monitor device health metrics including memory usage and service availability
- Implement network segmentation to limit UPNP traffic exposure and improve visibility
- Review router logs regularly for signs of exploitation attempts or service instability
How to Mitigate CVE-2021-47854
Immediate Actions Required
- Disable UPNP service on DD-WRT devices if not required for network operations
- Update DD-WRT firmware to the latest available version from the DD-WRT Beta Downloads page
- Restrict UPNP service access to trusted network segments only
- Implement firewall rules to block external access to UDP port 1900
Patch Information
DD-WRT users should check the official DD-WRT Home Page for firmware updates that address this vulnerability. It is recommended to upgrade to a firmware version newer than build 45723 that includes the security fix for the UPNP buffer overflow vulnerability. Review the security advisories and release notes for confirmation that the vulnerability has been patched in newer builds.
Workarounds
- Disable UPNP entirely via the DD-WRT web interface under Services → UPNP settings
- Configure firewall rules to block incoming SSDP traffic on UDP port 1900 from untrusted sources
- Enable UPNP only on specific, trusted VLANs with controlled access
- Consider using alternative UPnP implementations or manual port forwarding instead
# DD-WRT UPNP Disable Configuration (via nvram)
nvram set upnp_enable=0
nvram set upnp_nat_pmp_enable=0
nvram commit
reboot
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
