CVE-2021-27137

Name of the Vulnerable Software and Affected Versions DD-WRT (affected versions not specified)

Description A stack-based buffer overflow exists in the UPnP service of certain DD-WRT router firmware. The issue occurs when the service incorrectly handles large ST:uuid values within crafted M-SEARCH requests sent via UDP port 1900. This flaw allows the C0xmo botnet, a Gafgyt variant, to compromise devices without requiring credentials. Once infected, the malware terminates competing botnets to maintain exclusive control and establishes persistence by modifying ~/.bashrc, ~/.profile, and ~/.bash profile, creating cron jobs to relaunch every 15 minutes, and hiding copies in /tmp/.sys, /var/tmp/.sys, and /dev/shm/.sys.

The botnet utilizes a standalone Python scanner to detect device architectures and deploy payloads for ARM, MIPS, PowerPC, SuperH, MC68000, Intel 80386, and AMD64. It targets Linux servers, IoT devices, and exposed Android devices via the Android Debug Bridge (ADB). A confirmed incident involved a Japanese technology firm where the infection originated from an IP address in Germany. The malware supports 19 different DDoS attack methods and communicates with a command-and-control server.

Recommendations Disable UPnP on port 1900 immediately. Update router firmware to the latest version. At the moment, there is no information about a newer version that contains a fix for this vulnerability.