Login Sign Up

CVE-2022-43643

8.8 HIGH
Remote Code Execution

📋 TL;DR

This vulnerability allows attackers on the same network to execute arbitrary code on D-Link DIR-825 routers without authentication. The flaw exists in the xupnpd service's Generic plugin, which fails to properly validate user input before executing system commands. Attackers can exploit this to gain admin-level access to affected routers.

💻 Affected Systems

Products:
  • D-Link DIR-825
Versions: 1.0.9/EE
Operating Systems: Router firmware
Default Config Vulnerable: ⚠️ Yes
Notes: Affects routers with xupnpd service enabled on TCP port 4044

📦 What is this software?

Dir 825\/ac Firmware by Dlink

View all CVEs affecting Dir 825\/ac Firmware →

Dir 825\/ee Firmware by Dlink

View all CVEs affecting Dir 825\/ee Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of router with persistent backdoor installation, network traffic interception, and lateral movement to connected devices.

🟠

Likely Case

Router takeover allowing DNS hijacking, credential theft from network traffic, and botnet recruitment.

🟢

If Mitigated

Limited impact if router is isolated from critical systems and network segmentation prevents lateral movement.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploit requires network adjacency but no authentication, making it attractive for attackers

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check vendor advisory for latest firmware

Vendor Advisory: https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10319

Restart Required: Yes

Instructions:

1. Access router admin interface 2. Check for firmware updates 3. Download and install latest firmware 4. Reboot router

🔧 Temporary Workarounds

Disable xupnpd service

all

Disable the vulnerable xupnpd service on port 4044

Check router admin interface for service management options

Block port 4044

linux

Block external and internal access to TCP port 4044

iptables -A INPUT -p tcp --dport 4044 -j DROP

🧯 If You Can't Patch

  • Isolate router on separate VLAN from critical systems
  • Implement strict network segmentation and monitor for unusual port 4044 traffic

🔍 How to Verify

Check if Vulnerable:

Check router firmware version and if xupnpd service is running on port 4044

Check Version:

Check router admin interface or use nmap -sV -p 4044 [router_ip]

Verify Fix Applied:

Verify firmware version is updated and port 4044 is no longer listening or service is disabled

📡 Detection & Monitoring

Log Indicators:

  • Unusual connections to port 4044
  • Unexpected system command execution in router logs

Network Indicators:

  • Traffic to router port 4044 from unexpected sources
  • Unusual outbound connections from router

SIEM Query:

source_port=4044 OR dest_port=4044 AND (device_type="router" OR device_vendor="D-Link")

📊 Metadata

CVE ID: CVE-2022-43643
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-78
Published: March 29, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-43643, you might also want to check these:

CVE-2023-2564 10.0

This CVE describes an OS command injection vulnerability in scanservjs web scanning software that al...

Same vulnerability type (CWE-78)
CVE-2024-58338 10.0

Anevia Flamingo XL 3.2.9 contains a restricted shell escape vulnerability that allows remote attacke...

Same vulnerability type (CWE-78)
CVE-2025-26389 10.0

This critical vulnerability allows unauthenticated remote attackers to execute arbitrary code with r...

Same vulnerability type (CWE-78)