CVE-2022-43645 – This vulnerability allows attackers on the same... (How to Fix)

Q: What is the severity of CVE-2022-43645?

CVE-2022-43645 has a CVSS score of 8.8 (HIGH). This vulnerability allows attackers on the same network to execute arbitrary code on D-Link DIR-825 routers without authentication. The flaw exists in the IVI plugin for xupnpd service on port 4044, where improper input validation enables command injection. Attackers can gain admin-level access to affected routers.

📋 TL;DR

This vulnerability allows attackers on the same network to execute arbitrary code on D-Link DIR-825 routers without authentication. The flaw exists in the IVI plugin for xupnpd service on port 4044, where improper input validation enables command injection. Attackers can gain admin-level access to affected routers.

💻 Affected Systems

Products:

D-Link DIR-825

Versions: 1.0.9/EE firmware

Operating Systems: Embedded Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects routers with xupnpd service running on port 4044, which is enabled by default.

📦 What is this software?

Dir 825\/ac Firmware by Dlink

View all CVEs affecting Dir 825\/ac Firmware →

Dir 825\/ee Firmware by Dlink

View all CVEs affecting Dir 825\/ee Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete router compromise allowing attackers to intercept all network traffic, install persistent malware, pivot to other devices, or join botnets.

🟠

Likely Case

Router takeover enabling DNS hijacking, credential theft from connected devices, and network surveillance.

🟢

If Mitigated

Limited impact if routers are isolated from untrusted networks and have restricted administrative access.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit requires network adjacency but no authentication. Public exploit code exists in ZDI advisory.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firmware version after 1.0.9/EE (check vendor advisory)

Vendor Advisory: https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10319

Restart Required: Yes

Instructions:

1. Download latest firmware from D-Link support site. 2. Log into router admin interface. 3. Navigate to firmware update section. 4. Upload and install new firmware. 5. Reboot router.

🔧 Temporary Workarounds

Block port 4044

linux

Prevent exploitation by blocking access to vulnerable service port

iptables -A INPUT -p tcp --dport 4044 -j DROP

Disable xupnpd service

linux

Stop and disable the vulnerable service if not needed

killall xupnpd
chmod -x /usr/bin/xupnpd

🧯 If You Can't Patch

Isolate router on separate VLAN from untrusted devices
Implement network segmentation to limit lateral movement

🔍 How to Verify

Check if Vulnerable:

Check if port 4044 is listening: netstat -tlnp | grep 4044

Check Version:

cat /etc/version or check web interface

Verify Fix Applied:

Verify port 4044 is closed and firmware version is updated

📡 Detection & Monitoring

Log Indicators:

Unusual connections to port 4044
Suspicious command execution in system logs

Network Indicators:

Unexpected traffic to/from router port 4044
Anomalous outbound connections from router

SIEM Query:

source="router.log" dest_port=4044 OR cmd="xupnpd"

📊 Metadata

CVE ID: CVE-2022-43645

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

Published: March 29, 2023

Last Updated: November 21, 2024

🔗 References

https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10319 Patch,Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-22-1704/ Third Party Advisory,VDB Entry
https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10319 Patch,Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-22-1704/ Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-43645, you might also want to check these: