CVE-2014-8361

Q: What is the severity of CVE-2014-8361?

CVE-2014-8361 has a CVSS score of 9.8 (CRITICAL). CVE-2014-8361 is a critical remote code execution vulnerability in the miniigd UPnP SOAP service in Realtek SDK. It allows unauthenticated attackers to execute arbitrary code on affected devices via crafted NewInternalClient requests. This vulnerability affects numerous embedded devices (routers, IoT devices) using Realtek SDK and has been actively exploited for years.

9.8 CRITICAL

Remote Code Execution

📋 TL;DR

CVE-2014-8361 is a critical remote code execution vulnerability in the miniigd UPnP SOAP service in Realtek SDK. It allows unauthenticated attackers to execute arbitrary code on affected devices via crafted NewInternalClient requests. This vulnerability affects numerous embedded devices (routers, IoT devices) using Realtek SDK and has been actively exploited for years.

💻 Affected Systems

Products:

D-Link routers
TP-Link routers
Netgear routers
ASUS routers
Other embedded devices using Realtek SDK

Versions: Realtek SDK versions prior to 2014 patches

Operating Systems: Embedded Linux systems

Default Config Vulnerable: ⚠️ Yes

Notes: Affects devices with UPnP enabled (often default). Many consumer routers and IoT devices are vulnerable.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise leading to botnet recruitment, data exfiltration, lateral movement into internal networks, and persistent backdoor installation.

🟠

Likely Case

Device takeover for botnet participation, credential theft, and use as pivot point for internal network attacks.

🟢

If Mitigated

Limited impact if devices are behind firewalls with UPnP disabled and network segmentation in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit code publicly available since 2014, actively exploited in the wild through 2023. Simple HTTP POST request triggers vulnerability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Vendor-specific firmware updates

Vendor Advisory: http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10055

Restart Required: Yes

Instructions:

1. Identify device model and current firmware version. 2. Check manufacturer website for security updates. 3. Download latest firmware. 4. Apply firmware update via device web interface. 5. Reboot device.

🔧 Temporary Workarounds

Disable UPnP Service

all

Disable the Universal Plug and Play service which hosts the vulnerable miniigd component

Device-specific: Typically via web interface under Advanced Settings > UPnP

Block External UPnP Requests

linux

Configure firewall to block incoming UPnP requests (port 1900/udp and 5000/tcp typical)

iptables -A INPUT -p udp --dport 1900 -j DROP
iptables -A INPUT -p tcp --dport 5000 -j DROP

🧯 If You Can't Patch

Segment affected devices on isolated network VLAN
Implement strict firewall rules blocking all inbound traffic to affected devices

🔍 How to Verify

Check if Vulnerable:

Check if UPnP service is running on ports 1900/udp or 5000/tcp. Use nmap: nmap -sU -p 1900 <target> and nmap -sT -p 5000 <target>

Check Version:

Device-specific: Typically via web interface or telnet/ssh to device and check firmware version

Verify Fix Applied:

Verify UPnP service is disabled or patched firmware version is installed. Check firmware version matches vendor's patched version.

📡 Detection & Monitoring

Log Indicators:

HTTP POST requests to /soap.cgi or similar UPnP endpoints
Unusual process execution from web service context
Failed authentication attempts followed by successful exploit

Network Indicators:

HTTP POST to port 5000/tcp with SOAP XML containing NewInternalClient
Unusual outbound connections from embedded devices

SIEM Query:

source_port=5000 AND http_method=POST AND (uri_path="*soap*" OR http_user_agent="*UPnP*")

📊 Metadata

CVE ID: CVE-2014-8361

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Published: May 1, 2015

Last Updated: October 22, 2025

🔗 References

http://jvn.jp/en/jp/JVN47580234/index.html Third Party Advisory
http://jvn.jp/en/jp/JVN67456944/index.html Third Party Advisory
http://packetstormsecurity.com/files/132090/Realtek-SDK-Miniigd-UPnP-SOAP-Command-Execution.html Third Party Advisory,VDB Entry
http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10055 Vendor Advisory
http://www.securityfocus.com/bid/74330 Broken Link,Third Party Advisory,VDB Entry
http://www.zerodayinitiative.com/advisories/ZDI-15-155/ Third Party Advisory,VDB Entry
https://sensorstechforum.com/hinatabot-cve-2014-8361-ddos/ Third Party Advisory
https://web.archive.org/web/20150909230440/http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10055 Third Party Advisory
https://www.exploit-db.com/exploits/37169/ Third Party Advisory,VDB Entry
http://jvn.jp/en/jp/JVN47580234/index.html Third Party Advisory
http://jvn.jp/en/jp/JVN67456944/index.html Third Party Advisory
http://packetstormsecurity.com/files/132090/Realtek-SDK-Miniigd-UPnP-SOAP-Command-Execution.html Third Party Advisory,VDB Entry
http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10055 Vendor Advisory
http://www.securityfocus.com/bid/74330 Broken Link,Third Party Advisory,VDB Entry
http://www.zerodayinitiative.com/advisories/ZDI-15-155/ Third Party Advisory,VDB Entry
https://sensorstechforum.com/hinatabot-cve-2014-8361-ddos/ Third Party Advisory
https://web.archive.org/web/20150909230440/http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10055 Third Party Advisory
https://www.exploit-db.com/exploits/37169/ Third Party Advisory,VDB Entry
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2014-8361

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Dir 501 Firmware by Dlink

Dir 515 Firmware by Dlink

Dir 600l Firmware by Dlink

Dir 600l Firmware by Dlink

Dir 605l Firmware by Dlink

Dir 605l Firmware by Dlink

Dir 605l Firmware by Dlink

Dir 615 Firmware by Dlink

Dir 615 Firmware by Dlink

Dir 619l Firmware by Dlink

Dir 619l Firmware by Dlink

Dir 809 Firmware by Dlink

Dir 900l Firmware by Dlink

Dir 905l Firmware by Dlink

Realtek Sdk by Realtek

W1200ex Firmware by Aterm

W1200ex Ms Firmware by Aterm

W300p Firmware by Aterm

W500p Firmware by Aterm

Wf300hp2 Firmware by Aterm

Wf800hp Firmware by Aterm

Wg1200hp Firmware by Aterm

Wg1200hp2 Firmware by Aterm

Wg1200hp3 Firmware by Aterm

Wg1200hs Firmware by Aterm

Wg1200hs2 Firmware by Aterm

Wg1800hp3 Firmware by Aterm

Wg1800hp4 Firmware by Aterm

Wg1900hp Firmware by Aterm

Wg1900hp2 Firmware by Aterm

Wr8165n Firmware by Aterm

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable UPnP Service

Block External UPnP Requests

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export