Login Sign Up

CVE-2020-9395

8.0 HIGH
Remote Code Execution Buffer Overflow

📋 TL;DR

A stack-based buffer overflow vulnerability exists in Realtek Wi-Fi chipset firmware for specific IoT devices. Attackers can exploit this by sending a specially crafted WPA2 4-way handshake packet, potentially allowing remote code execution. Affected devices include Realtek RTL8195AM, RTL8711AM, RTL8711AF, and RTL8710AF chipsets running vulnerable firmware.

💻 Affected Systems

Products:
  • Realtek RTL8195AM
  • Realtek RTL8711AM
  • Realtek RTL8711AF
  • Realtek RTL8710AF
Versions: All versions before 2.0.6
Operating Systems: Embedded firmware on affected chipsets
Default Config Vulnerable: ⚠️ Yes
Notes: Devices using these chipsets in IoT products, development boards, or embedded systems are vulnerable when using WPA2.

📦 What is this software?

Rtl8195am Firmware by Realtek

View all CVEs affecting Rtl8195am Firmware →

Rtl8710af Firmware by Realtek

View all CVEs affecting Rtl8710af Firmware →

Rtl8711af Firmware by Realtek

View all CVEs affecting Rtl8711af Firmware →

Rtl8711am Firmware by Realtek

View all CVEs affecting Rtl8711am Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete device compromise, credential theft, and lateral movement within the network.

🟠

Likely Case

Device crash/reboot (denial of service) or limited code execution depending on exploit sophistication.

🟢

If Mitigated

No impact if patched or if network segmentation prevents attacker access.

🌐 Internet-Facing: HIGH - Exploitable over Wi-Fi without authentication, making exposed devices vulnerable.
🏢 Internal Only: MEDIUM - Requires attacker to be within Wi-Fi range or have network access.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires Wi-Fi proximity or network access to send malformed EAPOL-Key packets.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.0.6 or later

Vendor Advisory: https://www.amebaiot.com/en/security_bulletin/

Restart Required: Yes

Instructions:

1. Check device firmware version. 2. Download updated firmware from vendor. 3. Flash firmware to device following vendor instructions. 4. Reboot device.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate affected devices on separate VLANs to limit attack surface.

WPA3 Transition

all

Upgrade to WPA3 where supported to change handshake mechanism.

🧯 If You Can't Patch

  • Segment network to isolate vulnerable devices from critical systems.
  • Monitor for unusual Wi-Fi handshake patterns or device crashes.

🔍 How to Verify

Check if Vulnerable:

Check firmware version on device; if below 2.0.6, it's vulnerable.

Check Version:

Vendor-specific command; typically via serial console or management interface.

Verify Fix Applied:

Confirm firmware version is 2.0.6 or higher after update.

📡 Detection & Monitoring

Log Indicators:

  • Device crash/reboot logs
  • Unusual Wi-Fi authentication failures

Network Indicators:

  • Malformed EAPOL-Key packets with oversized keydata
  • Abnormal 4-way handshake patterns

SIEM Query:

Search for EAPOL-Key packets with keydata length > expected threshold.

📊 Metadata

CVE ID: CVE-2020-9395
CVSS v3 Score: 8.0 (HIGH)
CVSS Vector: CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
CWE: CWE-787
Published: July 6, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-9395, you might also want to check these:

CVE-2022-43604 10.0

CVE-2022-43604 is a critical out-of-bounds write vulnerability in the OpENer EtherNet/IP stack that ...

Same vulnerability type (CWE-787)
CVE-2025-24201 10.0

This critical vulnerability allows malicious web content to break out of the Web Content sandbox via...

Same vulnerability type (CWE-787)
CVE-2020-14871 10.0

This is a critical buffer overflow vulnerability (CWE-787) in Oracle Solaris's Pluggable Authenticat...

Same vulnerability type (CWE-787)