Skip to main content
Mallory
Back to vulnerabilities
Unrated

Stack Buffer Overflow in DD-WRT UPnP via SSDP M-SEARCH

IdentifiersCVE-2021-27137CWE-121

CVE-2021-27137 is a stack-based buffer overflow in the UPnP service of vulnerable DD-WRT router firmware. Based on the provided context, the flaw is triggered when the SSDP parser mishandles oversized ST:uuid: values in crafted M-SEARCH requests sent to UDP port 1900. A remote attacker can send malicious SSDP discovery traffic to the exposed UPnP service and corrupt stack memory, which has been observed in the wild as an initial access vector for the C0XMO/Gafgyt botnet. The vulnerability affects vulnerable DD-WRT firmware versions with the UPnP service enabled and reachable.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can allow a remote attacker to gain control of the vulnerable router or embedded Linux device. In observed attacks, exploitation was used to deliver and execute botnet malware, establish persistence, connect to command-and-control infrastructure, and use the compromised device for further propagation and DDoS activity. Because the flaw is a stack buffer overflow in a network-facing service, impact can include arbitrary code execution, full device compromise in the context of the affected service, and subsequent abuse of the device as part of a botnet.

Mitigation

If you can’t patch tonight, do this now.

Disable UPnP on affected DD-WRT devices where it is not strictly required. Block or restrict SSDP/UPnP traffic, especially UDP port 1900, from untrusted networks and prevent WAN-side exposure of the UPnP service. Apply network filtering and IPS signatures capable of detecting crafted M-SEARCH exploitation attempts. Segment embedded/network devices from critical assets, monitor for anomalous outbound C2 traffic and botnet behavior, and perform incident response on devices suspected of compromise because exploitation has been observed in the wild.

Remediation

Patch, then assume compromise.

Upgrade DD-WRT firmware to a version in which CVE-2021-27137 is fixed, if an updated vendor-supported build is available for the affected hardware. If no fixed firmware is available, replace unsupported devices or migrate to maintained firmware. Review exposed UPnP/SSDP services on WAN-facing interfaces, remove unauthorized internet exposure, and inspect potentially affected devices for signs of compromise such as unexpected binaries or scripts in temporary directories, persistence via cron or shell profile modifications, and outbound connections to known campaign infrastructure.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

ACTIVITY FEED

Recent activity

7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

7 SOURCESView more in app
gurucul threat researchNews
Jun 4, 2026
Inside the Cross-Platform Propagation of a New Gafgyt Variant C0XMO | Community Portal | Gurucul

A stack buffer overflow vulnerability in DD-WRT router firmware that can be triggered via malicious SSDP M-SEARCH requests to UDP port 1900, and is being used by the C0XMO Gafgyt botnet variant for propagation.

Read more
fortinet threat research blogNews
Jun 3, 2026
Inside the Cross-Platform Propagation of a New Gafgyt Variant C0XMO | FortiGuard Labs

A stack buffer overflow in the UPnP service of vulnerable DD-WRT router firmware versions, triggered by oversized ST:uuid: values in crafted SSDP M-SEARCH requests over UDP/1900, allowing remote attackers to gain control of affected systems.

Read more
fortinet threat researchNews
Jun 3, 2026
Inside the Cross-Platform Propagation of a New Gafgyt Variant C0XMO | FortiGuard Labs

A stack buffer overflow in the UPnP service of vulnerable DD-WRT router firmware, triggered by oversized ST:uuid: values in crafted SSDP M-SEARCH requests, allowing remote attackers to gain control of affected systems.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware6

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity4

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2021-27137
NVD
nvd.nist.gov/vuln/detail/CVE-2021-27137
MITRE CWE · CWE-121
cwe.mitre.org