Cyber Resilience

CVE-2021-35402

CriticalRCE

Published: 20 February 2026

Published
20 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0095 56.8th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2021-35402 is a critical-severity OS Command Injection (CWE-78) vulnerability in Starlabs (inferred from references). Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 43.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2021-35402 is an OS command injection vulnerability (CWE-78) in the PROLiNK PRC2402M router firmware version 20190909 before 2021-06-13. The issue affects the live_api.cgi script when the page parameter is set to satellite_list, allowing injection of shell metacharacters via the ip parameter during satellite_status operations.

The vulnerability carries a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), enabling remote unauthenticated attackers with network access to execute arbitrary OS commands with low complexity and no user interaction. Exploitation can result in full device compromise, granting high-impact control over confidentiality, integrity, and availability.

Mitigation guidance is available in the Star Labs advisory at https://starlabs.sg/advisories/21/21-35402/. The CVE was published on 2026-02-20T19:23:14.200.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

PROLiNK PRC2402M 20190909 before 2021-06-13 allows live_api.cgi?page=satellite_list OS command injection via shell metacharacters in the ip parameter (for satellite_status).

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

CVE-2021-35402 is an unauthenticated OS command injection in a public-facing router web interface (live_api.cgi), directly enabling T1190 (Exploit Public-Facing Application) and facilitating arbitrary Unix shell command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2018-25115Shared CWE-78
CVE-2025-24382Shared CWE-78
CVE-2026-29058Shared CWE-78
CVE-2024-57016Shared CWE-78
CVE-2024-46484Shared CWE-78
CVE-2015-10145Shared CWE-78
CVE-2020-37002Shared CWE-78
CVE-2026-27848Shared CWE-78
CVE-2025-0356Shared CWE-78
CVE-2025-13942Shared CWE-78

Affected Assets

Starlabs
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 directly prevents OS command injection by validating the ip parameter in live_api.cgi against shell metacharacters.

prevent

SI-2 requires timely flaw remediation through firmware patching to eliminate the command injection vulnerability.

prevent

AC-3 enforces access controls to block unauthenticated remote access to the vulnerable satellite_status endpoint.

References