cbcvebase.
CVE-2021-35393
published 2021-08-16

CVE-2021-35393: Realtek Jungle SDK version v2.x up to v3.4.14B provides a 'WiFi Simple Config' server that implements both UPnP and SSDP protocols. The binary is usually named…

PriorityP179critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
70.33%
99.3th percentile
Realtek Jungle SDK version v2.x up to v3.4.14B provides a 'WiFi Simple Config' server that implements both UPnP and SSDP protocols. The binary is usually named wscd or mini_upnpd and is the successor to miniigd. The server is vulnerable to a stack buffer overflow vulnerability that is present due to unsafe parsing of the UPnP SUBSCRIBE/UNSUBSCRIBE Callback header. Successful exploitation of this vulnerability allows remote unauthenticated attackers to gain arbitrary code execution on the affected device.

Affected

1 ranges
VendorProductVersion rangeFixed in
realtekrtl819x_jungle_software_development_kit2.0 – 3.4.14b

Detection & IOCsextracted from sources · hover to see the quote

path/goform/formWlanMultipleAP
path/goform/formWlSiteSurvey
path/goform/formStaticDHCP
path/upnp/
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Realtek SDK - formWlanMultipleAP Stack Buffer Overflow Inbound (CVE-2021-35393)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/goform/formWlanMultipleAP"; endswith; fast_pattern; http.request_body; content:"submit-url="; pcre:"/^[^&]{512,}/"; reference:url,www.iot-inspector.com/blog/advisory-multiple-issues-realtek-sdk-iot-supply-chain/; reference:cve,2021-35393; classtype:attempted-user; sid:2033842; rev:1;)
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Realtek SDK - formWlSiteSurvey Stack Buffer Overflow Inbound (CVE-2021-35393)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/goform/formWlSiteSurvey"; fast_pattern; endswith; http.request_body; content:"ifname="; pcre:"/^[^&]{90,}/"; reference:url,www.iot-inspector.com/blog/advisory-multiple-issues-realtek-sdk-iot-supply-chain/; reference:cve,2021-35393; classtype:attempted-user; sid:2033838; rev:2;)
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Realtek SDK - formStaticDHCP Stack Buffer Overflow Inbound (CVE-2021-35393)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/goform/formStaticDHCP"; endswith; fast_pattern; http.request_body; content:"hostname="; pcre:"/^[^&]{42,}/"; reference:url,www.iot-inspector.com/blog/advisory-multiple-issues-realtek-sdk-iot-supply-chain/; reference:cve,2021-35393; classtype:attempted-user; sid:2033841; rev:1;)
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Realtek SDK - Stack Buffer Overflow via UPnP SUBSCRIBE Callback Header Inbound (CVE-2021-35393)"; flow:established,to_server; http.method; content:"SUBSCRIBE"; http.uri; content:"/upnp/"; http.request_header; header_lowercase; content:"callback|3a 20 3c|http"; fast_pattern; startswith; pcre:"/^callback\x3a\x20\x3chttp[^\x3a]+\x3a\d{1,5}[^\/]/i"; reference:url,www.iot-inspector.com/blog/advisory-multiple-issues-realtek-sdk-iot-supply-chain/; reference:cve,2021-35393; classtype:attempted-user; sid:2033843; rev:2;)
  • Exploit targets HTTP POST to /goform/formWlanMultipleAP with a 'submit-url=' body parameter exceeding 512 characters (stack buffer overflow trigger).
  • Exploit targets HTTP POST to /goform/formWlSiteSurvey with an 'ifname=' body parameter exceeding 90 characters (stack buffer overflow trigger).
  • Exploit targets HTTP POST to /goform/formStaticDHCP with a 'hostname=' body parameter exceeding 42 characters (stack buffer overflow trigger).
  • Exploit uses HTTP SUBSCRIBE method to /upnp/ with a malformed Callback header (e.g., 'callback: <http...') lacking a trailing slash after the port — indicative of the UPnP SUBSCRIBE/UNSUBSCRIBE Callback header stack overflow.
  • Vulnerable binaries are typically named 'wscd' or 'mini_upnpd'; presence of these processes on IoT devices indicates exposure to this CVE.
  • The vulnerability is in the UPnP SUBSCRIBE/UNSUBSCRIBE Callback header parsing; monitor for inbound SUBSCRIBE requests to UPnP endpoints from untrusted sources.
  • ·Snort rules target inbound traffic to $HOME_NET and $HTTP_SERVERS; ensure these variables are correctly scoped to include IoT/embedded device segments where Realtek SDK devices reside.
  • ·The UPnP SUBSCRIBE rule (sid:2033843) was last updated 2024_04_25 (rev:2), while the other three rules remain at rev:1 from 2021_08_30 — verify you are running the latest rule revisions.
  • ·All four rules are classified confidence Medium; false positives are possible in environments with legitimate large-form POST submissions to these goform endpoints.
  • ·Affected versions span Realtek Jungle SDK v2.x up to v3.4.14B; devices running versions beyond v3.4.14B may not be vulnerable.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.