CVE-2021-35393 – This vulnerability allows remote unauthenticate... (How to Fix)

Q: What is the severity of CVE-2021-35393?

CVE-2021-35393 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows remote unauthenticated attackers to execute arbitrary code on affected devices by exploiting a stack buffer overflow in Realtek Jungle SDK's WiFi Simple Config server. The vulnerability affects devices using Realtek SDK versions v2.x through v3.4.14B that have the wscd or mini_upnpd service enabled. This primarily impacts IoT devices, routers, and embedded systems in the supply chain.

📋 TL;DR

This vulnerability allows remote unauthenticated attackers to execute arbitrary code on affected devices by exploiting a stack buffer overflow in Realtek Jungle SDK's WiFi Simple Config server. The vulnerability affects devices using Realtek SDK versions v2.x through v3.4.14B that have the wscd or mini_upnpd service enabled. This primarily impacts IoT devices, routers, and embedded systems in the supply chain.

💻 Affected Systems

Products:

Realtek Jungle SDK-based devices
IoT devices using Realtek chipsets
Various routers and embedded systems

Versions: v2.x through v3.4.14B

Operating Systems: Embedded Linux systems

Default Config Vulnerable: ⚠️ Yes

Notes: Affects devices with wscd or mini_upnpd service running. Many devices enable this service by default for UPnP/SSDP functionality.

📦 What is this software?

Rtl819x Jungle Software Development Kit by Realtek

View all CVEs affecting Rtl819x Jungle Software Development Kit →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise leading to persistent backdoor installation, lateral movement within networks, and potential botnet recruitment.

🟠

Likely Case

Remote code execution allowing attackers to steal credentials, intercept network traffic, or use device as pivot point for further attacks.

🟢

If Mitigated

Limited impact if service is disabled or network segmentation prevents external access.

🌐 Internet-Facing: HIGH - The vulnerable service typically listens on network interfaces and can be exploited remotely without authentication.

🏢 Internal Only: HIGH - Even internally, the vulnerability allows unauthenticated exploitation across network segments.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation is straightforward due to the buffer overflow in UPnP SUBSCRIBE/UNSUBSCRIBE Callback header parsing. Public exploit code exists.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v3.4.14C and later

Vendor Advisory: https://www.realtek.com/images/safe-report/Realtek_APRouter_SDK_Advisory-CVE-2021-35392_35395.pdf

Restart Required: Yes

Instructions:

1. Contact device manufacturer for updated firmware. 2. Apply firmware update. 3. Reboot device. 4. Verify wscd/mini_upnpd service is updated.

🔧 Temporary Workarounds

Disable vulnerable service

linux

Stop and disable the wscd or mini_upnpd service

systemctl stop wscd
systemctl disable wscd
killall wscd
killall mini_upnpd

Block UPnP/SSDP traffic

linux

Use firewall rules to block UPnP (1900/udp) and SSDP traffic

iptables -A INPUT -p udp --dport 1900 -j DROP
iptables -A INPUT -p tcp --dport 1900 -j DROP

🧯 If You Can't Patch

Network segmentation: Isolate affected devices in separate VLANs
Implement strict firewall rules to block all inbound traffic to vulnerable devices

🔍 How to Verify

Check if Vulnerable:

Check if wscd or mini_upnpd process is running: ps aux | grep -E 'wscd|mini_upnpd'

Check Version:

Check device firmware version or contact manufacturer for SDK version information

Verify Fix Applied:

Verify service version or check that vulnerable service is no longer running

📡 Detection & Monitoring

Log Indicators:

Unusual UPnP SUBSCRIBE/UNSUBSCRIBE requests
wscd/mini_upnpd process crashes
Memory corruption errors in system logs

Network Indicators:

Malformed UPnP packets to port 1900
Unusual outbound connections from affected devices

SIEM Query:

source="*syslog*" AND (process="wscd" OR process="mini_upnpd") AND (message="*segmentation fault*" OR message="*buffer overflow*")

📊 Metadata

CVE ID: CVE-2021-35393

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-787

Published: August 16, 2021

Last Updated: August 13, 2025

🔗 References

https://www.iot-inspector.com/blog/advisory-multiple-issues-realtek-sdk-iot-supply-chain Broken Link,Exploit,Third Party Advisory
https://www.realtek.com/en/cu-1-en/cu-1-taiwan-en Broken Link,Patch,Vendor Advisory
https://www.realtek.com/images/safe-report/Realtek_APRouter_SDK_Advisory-CVE-2021-35392_35395.pdf Patch,Vendor Advisory
https://www.iot-inspector.com/blog/advisory-multiple-issues-realtek-sdk-iot-supply-chain Broken Link,Exploit,Third Party Advisory
https://www.realtek.com/en/cu-1-en/cu-1-taiwan-en Broken Link,Patch,Vendor Advisory
https://www.realtek.com/images/safe-report/Realtek_APRouter_SDK_Advisory-CVE-2021-35392_35395.pdf Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-35393, you might also want to check these: