Cyber Resilience

CVE-2021-45382

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoCRCE

Published: 17 February 2022

Published
17 February 2022
Modified
10 November 2025
KEV Added
04 April 2022
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9435 100.0th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-45382 is a critical-severity OS Command Injection (CWE-78) vulnerability in Dlink Dir-820L Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SA-22 (Unsupported System Components) and SC-7 (Boundary Protection).

Deeper analysis

A remote command execution vulnerability exists in the DDNS function of the ncc2 binary on D-Link DIR-810L, DIR-820L/LW, DIR-826L, DIR-830L, and DIR-836L routers across all hardware revisions. The flaw is tracked as CVE-2021-45382, carries a CVSS 3.1 score of 9.8, and is categorized under CWE-78 for improper neutralization of special elements used in an OS command.

An unauthenticated attacker with network access can send crafted requests to the affected DDNS component and execute arbitrary commands on the device, resulting in full compromise of confidentiality, integrity, and availability without any user interaction.

D-Link has stated in advisory SAP10264 that all listed models have reached end-of-life and end-of-service status, so no firmware patches will be issued. The vulnerability is also catalogued by CISA as actively exploited in the wild, with public proof-of-concept code available.

The GitHub repository linked in the references demonstrates command injection via the DDNS interface on unpatched units.

EU & UK References

Vulnerability details

A Remote Command Execution (RCE) vulnerability exists in all series H/W revisions D-link DIR-810L, DIR-820L/LW, DIR-826L, DIR-830L, and DIR-836L routers via the DDNS function in ncc2 binary file. Note: DIR-810L, DIR-820L, DIR-830L, DIR-826L, DIR-836L, all hardware revisions, have reached their…

more

End of Life ("EOL") /End of Service Life ("EOS") Life-Cycle and as such this issue will not be patched.

CWE(s)
KEV Date Added
04 April 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

dlink
dir-820l firmware
all versions
dlink
dir-820lw firmware
all versions
dlink
dir-826l firmware
all versions
dlink
dir-830l firmware
all versions
dlink
dir-836l firmware
all versions
dlink
dir-810l firmware
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires replacing or isolating EOL devices that will never receive a patch for the DDNS command-injection flaw.

prevent

Boundary-protection rules can block unauthenticated network access to the vulnerable DDNS listener before any crafted request reaches ncc2.

prevent

Enforces authentication and authorization checks on the DDNS interface so that unauthenticated attackers cannot reach the command-injection vector.

References