CVE-2021-45382

What are the Affected D-Link Routers?

The affected devices are consumer and small business wireless routers from D-Link that have reached end-of-life (EOL) status — meaning D-Link no longer releases firmware updates or security patches for them. EOL networking equipment represents a persistent security risk because vulnerabilities cannot be remediated through patching; the only appropriate response is device replacement. The affected models include D-Link DIR-810L, DIR-820L, DIR-820LW, DIR-826L, DIR-830L, and DIR-836L across all hardware revisions.

Overview

CVE-2021-45382 is an OS command injection vulnerability (CWE-78) in the ncc2 binary on multiple D-Link router models. The ncc2 binary handles Dynamic DNS (DDNS) update functionality, and it passes user-controlled input to OS command execution without adequate sanitization. A remote, unauthenticated attacker can send a specially crafted request to trigger arbitrary command execution on the router with root privileges. Because the affected devices are end-of-life, no patch is available — CISA's required action is to disconnect these devices.

Affected Versions

Technical Details

The ncc2 binary on these D-Link routers implements DDNS update functionality. The DDNS service allows the router to notify a dynamic DNS provider of its current public IP address — a common feature for home users with dynamic ISP IPs who want remote access. The binary processes configuration parameters from the router's web interface and passes them to OS commands without input validation:

• Root cause: OS command injection (CWE-78) in the ncc2 binary's DDNS service handler
• Authentication required: None — the vulnerability can be triggered remotely without credentials
• Execution context: Commands execute as root on the router's Linux-based OS
• Attack surface: The router's WAN-facing or LAN-facing web interface (port 80/443), depending on management interface exposure
• No fix available: All affected models are EOL — D-Link will not release patches

Discovery

Identified by security researchers examining D-Link's EOL router firmware. The CWE-78 classification confirms the root cause is improper neutralization of OS command metacharacters in the DDNS update code path.

Exploitation Context

Consumer routers with known unpatched vulnerabilities are attractive targets for botnet operators who recruit them for DDoS infrastructure, cryptocurrency mining, or proxy networks. Shodan and similar scanners routinely index exposed D-Link management interfaces. EOL devices on home networks often remain deployed for years after their security support window closes, creating a persistent pool of exploitable infrastructure. The CISA KEV addition reflects confirmed active exploitation in the wild.

Remediation

1. Disconnect and replace the affected D-Link router immediately — no patch is available and D-Link will not release one
2. Replace with a currently supported router model from D-Link or another vendor
3. If replacement is not immediately possible: disable remote management (WAN-side web interface) and restrict management access to the LAN only
4. Check for signs of compromise (unexpected DNS settings, new admin accounts, unusual traffic) before or during replacement
5. Change all credentials (router admin, Wi-Fi passwords) on any replacement device