CVE-2021-35394
published 2021-08-16CVE-2021-35394: Realtek Jungle SDK version v2.x up to v3.4.14B provides a diagnostic tool called 'MP Daemon' that is usually compiled as 'UDPServer' binary. The binary is…
PriorityP196critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2021-12-24
Exploited in the wild
EPSS
99.86%
100.0th percentile
Realtek Jungle SDK version v2.x up to v3.4.14B provides a diagnostic tool called 'MP Daemon' that is usually compiled as 'UDPServer' binary. The binary is affected by multiple memory corruption vulnerabilities and an arbitrary command injection vulnerability that can be exploited by remote unauthenticated attackers.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| realtek | rtl819x_jungle_software_development_kit | 2.0 – 3.4.14b | — |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Realtek Jungle SDK Remote Code Execution Vulnerability
cisa·2021-12-10·CVSS 9.8
CVE-2021-35394 [CRITICAL] CWE-78 Realtek Jungle SDK Remote Code Execution Vulnerability
Vulnerability: Realtek Jungle SDK Remote Code Execution Vulnerability
Affected: Realtek Jungle Software Development Kit (SDK)
RealTek Jungle SDK contains multiple memory corruption vulnerabilities which can allow an attacker to perform remote code execution.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2021-35394
Remediation Due Date: 2021-12-24
GHSA
GHSA-9q9f-f28q-83xj: Realtek Jungle SDK version v2
ghsa_unreviewed·2022-05-24
CVE-2021-35394 [CRITICAL] CWE-77 GHSA-9q9f-f28q-83xj: Realtek Jungle SDK version v2
Realtek Jungle SDK version v2.x up to v3.4.14B provides a diagnostic tool called 'MP Daemon' that is usually compiled as 'UDPServer' binary. The binary is affected by multiple memory corruption vulnerabilities and an arbitrary command injection vulnerability that can be exploited by remote unauthenticated attackers.
VulnCheck
Realtek Jungle SDK Remote Code Execution Vulnerability
vulncheck·2021·CVSS 9.8
CVE-2021-35394 [CRITICAL] CWE-78 Realtek Jungle SDK Remote Code Execution Vulnerability
Realtek Jungle SDK Remote Code Execution Vulnerability
RealTek Jungle SDK contains multiple memory corruption vulnerabilities which can allow an attacker to perform remote code execution.
Affected: Realtek Jungle Software Development Kit (SDK)
Required Action: Apply updates per vendor instructions.
Exploitation References: https://blogs.juniper.net/en-us/threat-research/realtek-cve-2021-35394-exploited-in-the-wild; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://blog.netlab.360.com/men-sheng-fa-da-cai-fodchajiang-shi-wang-luo/; https://web.archive.org/web/20230318134256/https://unit42.paloaltonetworks.com/network-security-trends-aug-oct-2022/; https://unit42.paloaltonetworks.com/realtek-sdk-vulnerability/; https://ti.qianxin.com/blog/article
Suricata
ET EXPLOIT Realtek SDK - Command Execution/Backdoor Access Inbound (CVE-2021-35394)
suricata·2023-01-27·CVSS 9.8
CVE-2021-35394 [CRITICAL] ET EXPLOIT Realtek SDK - Command Execution/Backdoor Access Inbound (CVE-2021-35394)
ET EXPLOIT Realtek SDK - Command Execution/Backdoor Access Inbound (CVE-2021-35394)
Rule: alert udp any any -> $HOME_NET 9034 (msg:"ET EXPLOIT Realtek SDK - Command Execution/Backdoor Access Inbound (CVE-2021-35394)"; flow:to_server; content:"orf|3b|"; fast_pattern; startswith; threshold:type limit, count 1, seconds 3600, track by_src; reference:cve,2021-35394; reference:url,unit42.paloaltonetworks.com/realtek-sdk-vulnerability/; reference:url,onekey.com/blog/advisory-multiple-issues-realtek-sdk-iot-supply-chain; classtype:attempted-admin; sid:2044008; rev:2; metadata:affected_product IoT, attack_target Networking_Equipment, created_at 2023_01_27, cve CVE_2021_35394, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag CISA_KEV,
Nuclei
RealTek AP Router SDK - Arbitrary Command Injection
nuclei·CVSS 9.8
CVE-2021-35394 [CRITICAL] RealTek AP Router SDK - Arbitrary Command Injection
RealTek AP Router SDK - Arbitrary Command Injection
The SDK exposes a UDP server that allows remote execution of arbitray commands.
Template:
id: CVE-2021-35394
info:
name: RealTek AP Router SDK - Arbitrary Command Injection
author: king-alexander
severity: critical
remediation: Apply the latest security patches or updates provided by RealTek.
description: The SDK exposes a UDP server that allows remote execution of arbitray commands.
impact: |
Attackers can execute arbitrary commands remotely through the exposed UDP server port by sending specially crafted commands to RealTek AP Router SDK devices.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2021-35394
- https://blogs.juniper.net/en-us/threat-research/realtek-cve-2021-35394-exploited-in-the-wild
classification:
epss-score: 0.942
abuse.ch
URLhaus Malware Distribution: CVE-2021-35394
abuse_ch·2026-06-13·CVSS 9.8
CVE-2021-35394 [CRITICAL] URLhaus Malware Distribution: CVE-2021-35394
URLhaus Malware Distribution: CVE-2021-35394
URLhaus has tracked 16 malicious URLs associated with 'CVE-2021-35394'.
Activity observed from 2026-06-13 to 2026-06-13.
URL status: online: 16
Top hosting infrastructure:
- 103.245.27.100 (8 URLs)
- vbotnt1.duckdns.org (8 URLs)
Reported by: opastorello (16)
Unit42
Network Security Trends: November 2022-January 2023
blogs_unit42·2023-05-02·CVSS 9.8
CVE-2021-22005 [CRITICAL] Network Security Trends: November 2022-January 2023
Threat Research Center
Trend Reports
Vulnerabilities
## Network Security Trends: November 2022-January 2023
Yiheng An
Published: May 2, 2023
Trend Reports
Vulnerabilities
Attack analysis
CVE-2021-22005
CVE-2021-31602
CVE-2021-33035
CVE-2021-43287
CVE-2022-1118
CVE-2022-27924
CVE-2022-30136
CVE-2022-31137
CVE-2022-44877
CVE-2022-46169
Exploit in the wild
Network security trends
## Executive Summary
Recent observations of exploits used in the wild November 2022-January 2023 reveal that attackers have been using newly published remote code execution vulnerabilities in the following three products:
Roxy-WI, a web interface for managing and monitoring RoxyDNS
CWP, a free web hosting control panel (aka Control Web Panel or CentOS Web Panel)
Cacti, an open-source netw
Unit42
Network Security Trends: November 2022-January 2023
blogs_unit42·2023-05-02
Network Security Trends: November 2022-January 2023
## Executive Summary
Recent observations of exploits used in the wild November 2022-January 2023 reveal that attackers have been using newly published remote code execution vulnerabilities in the following three products:
- Roxy-WI, a web interface for managing and monitoring RoxyDNS
- CWP, a free web hosting control panel (aka Control Web Panel or CentOS Web Panel)
- Cacti, an open-source network monitoring and graphing tool used to track the performance of various network devices, servers and applications
Additionally, attackers have also been taking advantage of a traversal and information disclosure vulnerability in ThoughtWorks GoCD to read sensitive files stored on servers.
In our observations of network security trends, Unit 42 researchers have pinpointed several attacks based o
Fortinet
Moobot Strikes Again - Targeting Cacti And RealTek Vulnerabilities | FortiGuard Labs
blogs_fortinet·2023-03-29·CVSS 9.8
[CRITICAL] Moobot Strikes Again - Targeting Cacti And RealTek Vulnerabilities | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
Moobot Strikes Again - Targeting Cacti And RealTek Vulnerabilities
By Cara Lin | March 29, 2023
Affected platforms: Windows, Linux
Impacted parties: Any organization
Impact: Remote attackers gain control of the vulnerable systems
Severity level: Critical
FortiGuard Labs observed several attacking bursts targeting Cacti and Realtek vulnerabilities in January and March of this year and then spreading ShellBot and Moobot malware. (Figure 1 shows trigger counts from our IPS signatures of the CVE-2021-35394 (Realtek) and CVE-2022-46169 (Cacti) vulnerabilities.)
ShellBot is a malware developed in Perl that uses the Internet Relay Chat (IRC) protocol to communicate with the server, also known as PerlBot. Moobot is a Mirai variant botnet that targets exposed net
Unit42
Realtek SDK Vulnerability Attacks Highlight IoT Supply Chain Threats
blogs_unit42·2023-01-24·CVSS 9.8
CVE-2021-35394 [CRITICAL] Realtek SDK Vulnerability Attacks Highlight IoT Supply Chain Threats
## Executive Summary
Unit 42 researchers review tens of millions of attack records every month, and most months, attacks targeting a single vulnerability do not exceed 10% of the total number of attacks. However, we discovered that between August and October 2022, the number of attacks attempting to exploit a Realtek Jungle SDK remote code execution vulnerability (CVE-2021-35394) accounted for more than 40% of the total number of attacks.
As of December 2022, we’ve observed 134 million exploit attempts in total leveraging this vulnerability, and about 97% of these attacks occurred after the start of August 2022. At the time of writing, the attack is still ongoing.
Many of the attacks we observed tried to deliver malware to infect vulnerable IoT devices. This tells us that threat groups
Unit42
Realtek SDK Vulnerability Attacks Highlight IoT Supply Chain Threats
blogs_unit42·2023-01-24·CVSS 9.8
CVE-2021-35394 [CRITICAL] Realtek SDK Vulnerability Attacks Highlight IoT Supply Chain Threats
Threat Research Center
Threat Research
Vulnerabilities
## Realtek SDK Vulnerability Attacks Highlight IoT Supply Chain Threats
Yiheng An
Chao Lei
Adam Robbie
Aveek Das
Zhibin Zhang
Shehroze Farooqi
Published: January 24, 2023
Threat Research
Vulnerabilities
Botnet
CVE-2021-35394
Exploit in the wild
IoT Vulnerability
Network security trends
Supply chain
## Executive Summary
Unit 42 researchers review tens of millions of attack records every month, and most months, attacks targeting a single vulnerability do not exceed 10% of the total number of attacks. However, we discovered that between August and October 2022 , the number of attacks attempting to exploit a Realtek Jungle SDK remote code execution vulnerability ( CVE-2021-35394 ) accounted for more than 40% of the
Unit42
Network Security Trends: August-October 2022
blogs_unit42·2023-01-12·CVSS 9.8
[CRITICAL] Network Security Trends: August-October 2022
Threat Research Center
Trend Reports
Vulnerabilities
## Network Security Trends: August-October 2022
Yiheng An
Published: January 12, 2023
Trend Reports
Vulnerabilities
Attack analysis
Exploit in the wild
Network security trends
Proof of Concept
## Executive Summary
Recent August-October 2022 observations of exploits used in the wild reveal that threat actors have been leveraging significant numbers of attacks against the Realtek Jungle SDK remote code execution vulnerability (CVE-2021-35394).
In our observations of network security trends, Unit 42 researchers have pinpointed several attacks based on proof-of-concept (PoC) availability and impact. We have detailed below which of these we believe should be on a defender’s radar.
Other insights that could assist defenders
Unit42
Network Security Trends: August-October 2022
blogs_unit42·2023-01-12·CVSS 9.8
CVE-2021-35394 [CRITICAL] Network Security Trends: August-October 2022
## Executive Summary
Recent August-October 2022 observations of exploits used in the wild reveal that threat actors have been leveraging significant numbers of attacks against the Realtek Jungle SDK remote code execution vulnerability (CVE-2021-35394).
In our observations of network security trends, Unit 42 researchers have pinpointed several attacks based on proof-of-concept (PoC) availability and impact. We have detailed below which of these we believe should be on a defender’s radar.
Other insights that could assist defenders include the following:
- Rankings of the most commonly used attack techniques and the types of vulnerabilities that attackers have recently favored. For example, among 5,190 newly published vulnerabilities, a large portion (almost 9.8%) involves cross-site scri
https://www.iot-inspector.com/blog/advisory-multiple-issues-realtek-sdk-iot-supply-chainhttps://www.realtek.com/en/cu-1-en/cu-1-taiwan-enhttps://www.realtek.com/images/safe-report/Realtek_APRouter_SDK_Advisory-CVE-2021-35392_35395.pdfhttps://www.securityfocus.com/archive/1/534765https://www.iot-inspector.com/blog/advisory-multiple-issues-realtek-sdk-iot-supply-chainhttps://www.realtek.com/en/cu-1-en/cu-1-taiwan-enhttps://www.realtek.com/images/safe-report/Realtek_APRouter_SDK_Advisory-CVE-2021-35392_35395.pdfhttps://www.securityfocus.com/archive/1/534765https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-35394
2021-08-16
Published
2021-12-10
Added to CISA KEV
Exploited in the wild