Login Sign Up

CVE-2022-43647

8.8 HIGH
Remote Code Execution

📋 TL;DR

This vulnerability allows network-adjacent attackers to execute arbitrary code on D-Link DIR-825 routers without authentication. The flaw exists in the xupnpd service on TCP port 4044, where improper input validation enables command injection. Attackers can gain admin-level access to affected routers.

💻 Affected Systems

Products:
  • D-Link DIR-825
Versions: 1.0.9/EE
Operating Systems: Router firmware
Default Config Vulnerable: ⚠️ Yes
Notes: xupnpd service runs by default on port 4044. Only network-adjacent attackers can exploit (same broadcast domain).

📦 What is this software?

Dir 825\/ac Firmware by Dlink

View all CVEs affecting Dir 825\/ac Firmware →

Dir 825\/ee Firmware by Dlink

View all CVEs affecting Dir 825\/ee Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete router compromise allowing attackers to intercept traffic, modify configurations, install persistent malware, or pivot to internal networks.

🟠

Likely Case

Router takeover enabling DNS hijacking, credential theft from connected devices, or botnet recruitment.

🟢

If Mitigated

Limited impact if service is disabled or network segmentation prevents access to port 4044.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

ZDI published detailed advisory with exploitation details. No authentication required makes exploitation trivial for network-adjacent attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check vendor advisory for latest firmware

Vendor Advisory: https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10319

Restart Required: Yes

Instructions:

1. Access router web interface 2. Navigate to firmware update section 3. Download latest firmware from D-Link support site 4. Upload and apply firmware update 5. Reboot router

🔧 Temporary Workarounds

Disable xupnpd service

linux

Stop and disable the vulnerable xupnpd service listening on port 4044

killall xupnpd
rm /etc/init.d/xupnpd

Block port 4044

linux

Use firewall rules to block access to the vulnerable service

iptables -A INPUT -p tcp --dport 4044 -j DROP

🧯 If You Can't Patch

  • Segment network to isolate router from untrusted devices
  • Implement strict network access controls to limit who can reach port 4044

🔍 How to Verify

Check if Vulnerable:

Check if xupnpd is running on port 4044: netstat -tlnp | grep 4044

Check Version:

Check router web interface or run: cat /etc/version

Verify Fix Applied:

Verify xupnpd service is stopped and port 4044 is not listening

📡 Detection & Monitoring

Log Indicators:

  • Unusual connections to port 4044
  • xupnpd service restart attempts
  • Suspicious command execution in system logs

Network Indicators:

  • Traffic to router port 4044 from unexpected sources
  • Unusual outbound connections from router

SIEM Query:

source_port=4044 OR dest_port=4044 AND (process_name="xupnpd" OR cmdline="*xupnpd*")

📊 Metadata

CVE ID: CVE-2022-43647
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-78
Published: March 29, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-43647, you might also want to check these:

CVE-2023-2564 10.0

This CVE describes an OS command injection vulnerability in scanservjs web scanning software that al...

Same vulnerability type (CWE-78)
CVE-2024-58338 10.0

Anevia Flamingo XL 3.2.9 contains a restricted shell escape vulnerability that allows remote attacke...

Same vulnerability type (CWE-78)
CVE-2025-26389 10.0

This critical vulnerability allows unauthenticated remote attackers to execute arbitrary code with r...

Same vulnerability type (CWE-78)