Login Sign Up

CVE-2023-27077

7.5 HIGH
Denial of Service

📋 TL;DR

A stack overflow vulnerability in 360 D901 routers allows remote attackers to trigger a Distributed Denial of Service (DDOS) by sending specially crafted HTTP packets. This affects all systems using vulnerable 360 D901 router firmware versions. The vulnerability can disrupt network services without requiring authentication.

💻 Affected Systems

Products:
  • 360 D901 Router
Versions: All versions prior to patched firmware (specific version unknown)
Operating Systems: Embedded router firmware
Default Config Vulnerable: ⚠️ Yes
Notes: All default configurations appear vulnerable as the HTTP service is typically enabled by default.

📦 What is this software?

D901 Firmware by 360

View all CVEs affecting D901 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete router crash and network outage, requiring physical reboot and causing extended service disruption across all connected devices.

🟠

Likely Case

Router becomes unresponsive, requiring manual reboot and causing temporary network downtime for all users.

🟢

If Mitigated

Minimal impact with proper network segmentation and rate limiting preventing exploitation attempts.

🌐 Internet-Facing: HIGH - Routers are typically internet-facing devices directly accessible to attackers.
🏢 Internal Only: LOW - The vulnerability requires network access, but internal-only exposure reduces attack surface.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public GitHub repository contains exploit details and likely working code. No authentication required for exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: Yes

Instructions:

1. Check 360 router vendor website for firmware updates. 2. Download latest firmware. 3. Upload via router admin interface. 4. Reboot router after update.

🔧 Temporary Workarounds

Disable HTTP Management

all

Disable HTTP-based router management interface and use HTTPS only

Router-specific: Access admin interface > Management > Disable HTTP

Network Segmentation

linux

Isolate router management interface to internal network only

iptables -A INPUT -p tcp --dport 80 -s ! 192.168.1.0/24 -j DROP

🧯 If You Can't Patch

  • Implement strict network ACLs to restrict access to router management interface
  • Deploy rate limiting and DDoS protection at network perimeter

🔍 How to Verify

Check if Vulnerable:

Check router firmware version against known vulnerable versions. Test with controlled exploit if in lab environment.

Check Version:

Router-specific: Access admin interface > System > Firmware Version

Verify Fix Applied:

Verify firmware version is updated and test with exploit attempt to confirm no crash occurs.

📡 Detection & Monitoring

Log Indicators:

  • Multiple HTTP requests with malformed packets
  • Router crash/reboot events
  • Unusual traffic patterns to router IP

Network Indicators:

  • Spike in HTTP traffic to router management port
  • Repeated malformed HTTP packets

SIEM Query:

source_ip="router_ip" AND dest_port=80 AND (http_user_agent contains "malformed" OR packet_size>threshold)

📊 Metadata

CVE ID: CVE-2023-27077
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-787
Published: March 23, 2023
Last Updated: February 25, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-27077, you might also want to check these:

CVE-2019-5684 10.0

This vulnerability in NVIDIA Windows GPU Display Drivers allows specially crafted DirectX shaders to...

Same vulnerability type (CWE-787)
CVE-2022-43604 10.0

CVE-2022-43604 is a critical out-of-bounds write vulnerability in the OpENer EtherNet/IP stack that ...

Same vulnerability type (CWE-787)
CVE-2019-5049 10.0

This vulnerability allows an attacker to execute arbitrary code on systems with vulnerable AMD graph...

Same vulnerability type (CWE-787)