Login Sign Up

CVE-2020-27301

8.0 HIGH
Remote Code Execution Buffer Overflow

📋 TL;DR

A stack buffer overflow vulnerability in Realtek RTL8710 and other Ameba-based WiFi chips allows remote code execution. Attackers within Wi-Fi range can exploit this by sending a crafted encrypted GTK value during WPA2 handshake. This affects IoT devices, routers, and embedded systems using vulnerable Realtek chips.

💻 Affected Systems

Products:
  • Realtek RTL8710
  • Ameba-based devices
  • IoT devices with vulnerable Realtek WiFi chips
  • Embedded systems using affected chips
Versions: All versions prior to patched firmware
Operating Systems: Embedded RTOS on affected chips
Default Config Vulnerable: ⚠️ Yes
Notes: Devices must be using WPA2 with vulnerable Realtek WiFi chip implementation. Both client and AP modes may be affected.

📦 What is this software?

Rtl8195a Firmware by Realtek

View all CVEs affecting Rtl8195a Firmware →

Rtl8710c Firmware by Realtek

View all CVEs affecting Rtl8710c Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise allowing attacker to install persistent malware, pivot to other network devices, or use device as botnet node.

🟠

Likely Case

Device takeover enabling data theft, network surveillance, or denial of service attacks against the device.

🟢

If Mitigated

Limited impact if devices are isolated in separate VLANs with strict network segmentation and monitoring.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires attacker to be within Wi-Fi range and capture WPA2 handshake. No authentication needed once handshake is captured.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Vendor-specific firmware updates

Vendor Advisory: https://www.realtek.com/en/

Restart Required: Yes

Instructions:

1. Contact device manufacturer for firmware updates. 2. Apply firmware patch for affected Realtek chip. 3. Reboot device after update. 4. Verify patch installation.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate vulnerable devices in separate VLANs to limit attack surface

WPA3 Migration

all

Upgrade to WPA3 where supported to avoid vulnerable WPA2 implementation

🧯 If You Can't Patch

  • Physically isolate devices from critical networks
  • Implement strict network access controls and monitor for suspicious Wi-Fi activity

🔍 How to Verify

Check if Vulnerable:

Check device specifications for Realtek RTL8710 or Ameba chips. Review firmware version against manufacturer advisories.

Check Version:

Manufacturer-specific commands vary. Typically via device web interface or serial console.

Verify Fix Applied:

Verify firmware version matches patched version from manufacturer. Test device functionality post-update.

📡 Detection & Monitoring

Log Indicators:

  • Multiple failed WPA2 handshakes
  • Unusual device reboots
  • Unexpected firmware changes

Network Indicators:

  • Abnormal Wi-Fi traffic patterns
  • Suspicious 4-way handshake attempts
  • Unexpected network connections from IoT devices

SIEM Query:

source="wireless" AND (event="handshake_failure" OR event="authentication_failure") AND device_type="iot"

📊 Metadata

CVE ID: CVE-2020-27301
CVSS v3 Score: 8.0 (HIGH)
CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-787
Published: June 4, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-27301, you might also want to check these:

CVE-2022-43604 10.0

CVE-2022-43604 is a critical out-of-bounds write vulnerability in the OpENer EtherNet/IP stack that ...

Same vulnerability type (CWE-787)
CVE-2025-24201 10.0

This critical vulnerability allows malicious web content to break out of the Web Content sandbox via...

Same vulnerability type (CWE-787)
CVE-2020-14871 10.0

This is a critical buffer overflow vulnerability (CWE-787) in Oracle Solaris's Pluggable Authenticat...

Same vulnerability type (CWE-787)