CVE-2017-8413
Description
An issue was discovered on D-Link DCS-1100 and DCS-1130 devices. The device runs a custom daemon on UDP port 5978 which is called "dldps2121" and listens for broadcast packets sent on 255.255.255.255. This daemon handles custom D-Link UDP based protocol that allows D-Link mobile applications and desktop applications to discover D-Link devices on the local network. The binary processes the received UDP packets sent from any device in "main" function. One path in the function traverses towards a block of code that handles commands to be executed on the device. The custom protocol created by D-Link follows the following pattern: Packetlen, Type of packet; M=MAC address of device or broadcast; D=Device Type;C=base64 encoded command string;test=1111. If a packet is received with the packet type being "S" or 0x53 then the string passed in the "C" parameter is base64 decoded and then executed by passing into a System API. We can see at address 0x00009B44 that the string received in packet type subtracts 0x31 or "1" from the packet type and is compared against 0x22 or "double quotes". If that is the case, then the packet is sent towards the block of code that executes a command. Then the value stored in "C" parameter is extracted at address 0x0000A1B0. Finally, the string received is base 64 decoded and passed on to the system API at address 0x0000A2A8 as shown below. The same form of communication can be initiated by any process including an attacker process on the mobile phone or the desktop and this allows a third-party application on the device to execute commands on the device without any authentication by sending just 1 UDP packet with custom base64 encoding.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
D-Link DCS-1100 and DCS-1130 devices allow unauthenticated remote command injection via a custom UDP protocol on port 5978.
Vulnerability
The D-Link DCS-1100 and DCS-1130 devices run a custom daemon dldps2121 on UDP port 5978 that listens for broadcast packets. The daemon implements a proprietary discovery protocol used by D-Link mobile and desktop applications. The protocol includes a packet type field; when the type is 0x53 ('S'), the C parameter (base64-encoded command string) is decoded and passed to the system API for execution. This code path is reachable from any UDP packet sent to the device, without any authentication. Affected firmware versions are not explicitly listed in the available references, but the vulnerability is present in the hardware models DCS-1100 and DCS-1130 [1][2].
Exploitation
An attacker on the same local network can send a single crafted UDP broadcast packet to port 5978. The packet must follow the custom protocol format: Packetlen, Type of packet; M=MAC address of device or broadcast; D=Device Type; C=base64 encoded command string; test=1111. Setting the packet type to 0x53 triggers the command execution path. The C parameter contains a base64-encoded shell command. No authentication, user interaction, or prior knowledge of device credentials is required. The attacker does not need to be on the same subnet if broadcast packets are routable, but typically local network access is sufficient [1][2].
Impact
Successful exploitation allows an unauthenticated attacker to execute arbitrary system commands on the device with root privileges (since the daemon runs with elevated permissions). This results in full compromise of the device, including the ability to read sensitive data, modify device configuration, install malware, or use the device as a pivot for further network attacks. The impact is critical due to the lack of authentication and the simplicity of the attack [1][2].
Mitigation
As of the publication date (2019-07-02), no official firmware patch from D-Link has been identified in the available references. Users are advised to isolate affected devices on a separate VLAN or disable the UDP discovery service if possible. The devices may be end-of-life; checking D-Link's support page for firmware updates is recommended. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the knowledge cutoff. Until a fix is available, network segmentation is the primary mitigation [1][2].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- D-Link/DCS-1100 and DCS-1130description
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- packetstormsecurity.com/files/153226/Dlink-DCS-1130-Command-Injection-CSRF-Stack-Overflow.htmlmitrex_refsource_MISC
- github.com/ethanhunnt/IoT_vulnerabilities/blob/master/Dlink_DCS_1130_security.pdfmitrex_refsource_MISC
- seclists.org/bugtraq/2019/Jun/8mitremailing-listx_refsource_BUGTRAQ
News mentions
0No linked articles in our index yet.