Cyber Resilience

CVE-2021-35395

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 16 August 2021

Published
16 August 2021
Modified
07 November 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9366 99.9th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-35395 is a critical-severity an unspecified weakness vulnerability in Realtek Rtl819X Jungle Software Development Kit. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

Realtek Jungle SDK versions v2.x through v3.4.14B include an HTTP management interface, implemented either as the Go-Ahead-based "webs" binary or the Boa-based "boa" binary, that exposes configuration endpoints for wireless access points. Multiple stack-based buffer overflows exist in form handlers such as formRebootCheck, formWsc, formWlanMultipleAP, formWlSiteSurvey, and formStaticDHCP, caused by unbounded copies of parameters including submit-url, ifname, hostname, and peerPin; additional command-injection flaws allow arbitrary execution through the sysCmd and peerPin parameters in formSysCmd and formWsc.

Remote unauthenticated attackers can reach these endpoints over the network and supply crafted parameters to trigger the overflows or command injections, resulting in arbitrary code execution on the device. Actual exploitability varies with vendor modifications to the SDK web server, such as added authentication layers or removal of specific forms, yet the underlying insecure calls remain present in unmodified or partially customized deployments.

Realtek has published an advisory and security report addressing CVE-2021-35395 along with related issues, and IoT Inspector has released detailed analysis of the affected SDK components; users should obtain updated firmware or patches from their device vendor that incorporate fixes from Realtek.

EU & UK References

Vulnerability details

Realtek Jungle SDK version v2.x up to v3.4.14B provides an HTTP web server exposing a management interface that can be used to configure the access point. Two versions of this management interface exists: one based on Go-Ahead named webs and…

more

another based on Boa named boa. Both of them are affected by these vulnerabilities. Specifically, these binaries are vulnerable to the following issues: - stack buffer overflow in formRebootCheck due to unsafe copy of submit-url parameter - stack buffer overflow in formWsc due to unsafe copy of submit-url parameter - stack buffer overflow in formWlanMultipleAP due to unsafe copy of submit-url parameter - stack buffer overflow in formWlSiteSurvey due to unsafe copy of ifname parameter - stack buffer overflow in formStaticDHCP due to unsafe copy of hostname parameter - stack buffer overflow in formWsc due to unsafe copy of 'peerPin' parameter - arbitrary command execution in formSysCmd via the sysCmd parameter - arbitrary command injection in formWsc via the 'peerPin' parameter Exploitability of identified issues will differ based on what the end vendor/manufacturer did with the Realtek SDK webserver. Some vendors use it as-is, others add their own authentication implementation, some kept all the features from the server, some remove some of them, some inserted their own set of features. However, given that Realtek SDK implementation is full of insecure calls and that developers tends to re-use those examples in their custom code, any binary based on Realtek SDK webserver will probably contains its own set of issues on top of the Realtek ones (if kept). Successful exploitation of these issues allows remote attackers to gain arbitrary code execution on the device.

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

realtek
rtl819x jungle software development kit
2.0 — 3.4.14b

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly blocks the unbounded copies of submit-url, peerPin, hostname, ifname and sysCmd parameters that cause the stack overflows and command injection in the form handlers.

prevent

Enforces authentication and authorization on the management interface so that unauthenticated remote attackers cannot reach the vulnerable formRebootCheck, formWsc, formSysCmd and similar endpoints.

prevent

Limits exposure by disabling or removing unnecessary web-server forms and features in the Realtek SDK that contain the unsafe parameter handling.

References