CVE-2021-35392 – This vulnerability allows remote attackers to e... (How to Fix)

Q: What is the severity of CVE-2021-35392?

CVE-2021-35392 has a CVSS score of 7.5 (HIGH). This vulnerability allows remote attackers to execute arbitrary code on affected devices via a heap buffer overflow in Realtek Jungle SDK's WiFi Simple Config server. Attackers can exploit this by sending specially crafted SSDP NOTIFY messages in response to M-SEARCH requests. This affects IoT devices, routers, and other embedded systems using Realtek SDK versions v2.x through v3.4.14B.

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code on affected devices via a heap buffer overflow in Realtek Jungle SDK's WiFi Simple Config server. Attackers can exploit this by sending specially crafted SSDP NOTIFY messages in response to M-SEARCH requests. This affects IoT devices, routers, and other embedded systems using Realtek SDK versions v2.x through v3.4.14B.

💻 Affected Systems

Products:

Realtek Jungle SDK
Various IoT devices using Realtek SDK
Routers with Realtek chipsets
Embedded systems with Realtek WiFi modules

Versions: v2.x through v3.4.14B

Operating Systems: Embedded Linux, RTOS

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerable wscd/mini_upnpd service typically runs by default on affected devices. Many consumer IoT devices and routers use Realtek SDK components.

📦 What is this software?

Rtl819x Jungle Software Development Kit by Realtek

View all CVEs affecting Rtl819x Jungle Software Development Kit →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete device compromise, enabling attackers to install malware, pivot to internal networks, or create botnet nodes.

🟠

Likely Case

Remote code execution allowing attackers to gain control of vulnerable devices, potentially leading to data theft, network reconnaissance, or denial of service.

🟢

If Mitigated

Limited impact if devices are behind firewalls with SSDP/UPnP traffic blocked and network segmentation is implemented.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires network access to the vulnerable service (port 1900/udp typically). The vulnerability is in SSDP protocol handling, which is widely implemented.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v3.4.14C and later

Vendor Advisory: https://www.realtek.com/images/safe-report/Realtek_APRouter_SDK_Advisory-CVE-2021-35392_35395.pdf

Restart Required: Yes

Instructions:

1. Check device manufacturer for firmware updates. 2. Apply firmware update from device vendor. 3. Reboot device after update. 4. Verify wscd/mini_upnpd service is updated.

🔧 Temporary Workarounds

Disable SSDP/UPnP service

linux

Disable the vulnerable wscd or mini_upnpd service to prevent exploitation.

killall wscd
killall mini_upnpd
systemctl disable wscd
systemctl disable mini_upnpd

Block SSDP traffic at firewall

linux

Block UDP port 1900 and related UPnP traffic to prevent remote exploitation.

iptables -A INPUT -p udp --dport 1900 -j DROP
iptables -A OUTPUT -p udp --dport 1900 -j DROP

🧯 If You Can't Patch

Segment affected devices on isolated network segments
Implement strict firewall rules blocking all SSDP/UPnP traffic (UDP 1900) to/from affected devices

🔍 How to Verify

Check if Vulnerable:

Check if wscd or mini_upnpd process is running and check SDK version: ps aux | grep -E 'wscd|mini_upnpd'

Check Version:

Check device firmware version via vendor-specific commands or web interface

Verify Fix Applied:

Verify firmware version is v3.4.14C or later and wscd/mini_upnpd process is not vulnerable version

📡 Detection & Monitoring

Log Indicators:

Multiple SSDP NOTIFY messages from single source
wscd/mini_upnpd process crashes
Memory corruption errors in system logs

Network Indicators:

Unusual SSDP traffic patterns
SSDP NOTIFY messages with malformed ST headers
Traffic to UDP port 1900 from unexpected sources

SIEM Query:

source_port=1900 AND (protocol=UDP) AND (event_description CONTAINS 'SSDP' OR event_description CONTAINS 'UPnP')

📊 Metadata

CVE ID: CVE-2021-35392

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-787

Published: August 16, 2021

Last Updated: August 13, 2025

🔗 References

https://www.iot-inspector.com/blog/advisory-multiple-issues-realtek-sdk-iot-supply-chain Broken Link,Exploit,Third Party Advisory
https://www.realtek.com/en/cu-1-en/cu-1-taiwan-en Broken Link,Patch,Vendor Advisory
https://www.realtek.com/images/safe-report/Realtek_APRouter_SDK_Advisory-CVE-2021-35392_35395.pdf Patch,Vendor Advisory
https://www.iot-inspector.com/blog/advisory-multiple-issues-realtek-sdk-iot-supply-chain Broken Link,Exploit,Third Party Advisory
https://www.realtek.com/en/cu-1-en/cu-1-taiwan-en Broken Link,Patch,Vendor Advisory
https://www.realtek.com/images/safe-report/Realtek_APRouter_SDK_Advisory-CVE-2021-35392_35395.pdf Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-35392, you might also want to check these: