CVE-2021-35402
Published: 20 February 2026
Summary
CVE-2021-35402 is a critical-severity OS Command Injection (CWE-78) vulnerability in Starlabs (inferred from references). Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 43.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2021-35402 is an OS command injection vulnerability (CWE-78) in the PROLiNK PRC2402M router firmware version 20190909 before 2021-06-13. The issue affects the live_api.cgi script when the page parameter is set to satellite_list, allowing injection of shell metacharacters via the ip parameter during satellite_status operations.
The vulnerability carries a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), enabling remote unauthenticated attackers with network access to execute arbitrary OS commands with low complexity and no user interaction. Exploitation can result in full device compromise, granting high-impact control over confidentiality, integrity, and availability.
Mitigation guidance is available in the Star Labs advisory at https://starlabs.sg/advisories/21/21-35402/. The CVE was published on 2026-02-20T19:23:14.200.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-22045
Vulnerability details
PROLiNK PRC2402M 20190909 before 2021-06-13 allows live_api.cgi?page=satellite_list OS command injection via shell metacharacters in the ip parameter (for satellite_status).
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2021-35402 is an unauthenticated OS command injection in a public-facing router web interface (live_api.cgi), directly enabling T1190 (Exploit Public-Facing Application) and facilitating arbitrary Unix shell command execution (T1059.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 directly prevents OS command injection by validating the ip parameter in live_api.cgi against shell metacharacters.
SI-2 requires timely flaw remediation through firmware patching to eliminate the command injection vulnerability.
AC-3 enforces access controls to block unauthenticated remote access to the vulnerable satellite_status endpoint.