SERVER-WEBAPP DD-WRT httpd cgi-bin remote command execution attempt
This alert is triggered when an adversary is attempting to exploit a remote command execution vulnerability in the HTTP server (httpd) of the DD-WRT firmware for wireless routers. DD-WRT is an open-source Linux-based firmware for wireless routers, and its HTTP server is used for its web-based configuration interface.
ID Number
26275
Signature
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP DD-WRT httpd cgi-bin remote command execution attempt"; flow:to_server,established; content:"/cgi-bin/"; depth:10; nocase; http_uri; content:"${IFS}"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:bugtraq,35742; reference:bugtraq,94819; reference:cve,2009-2765; reference:cve,2016-6277; classtype:attempted-admin; sid:26275; rev:5;)
MITRE ATT&CK Technique
-
Severity
High
Recommendations/Investigative actions
It is recommended to immediately identify the server receiving this traffic and verify if it's running a vulnerable version of DD-WRT. If so, patch or update the software to a non-vulnerable version.
Inspect server logs to determine if the attempted exploitation was successful. Look for signs of unauthorized access, data exfiltration, or further exploitation attempts.
If possible, block communication Attempts from external networks, or enable access from specific external devices only.