Login Sign Up

CVE-2021-35395

9.8 CRITICAL
Remote Code Execution Buffer Overflow

📋 TL;DR

CVE-2021-35395 is a critical vulnerability in Realtek Jungle SDK's web management interface affecting both Go-Ahead (webs) and Boa (boa) servers. It allows remote attackers to execute arbitrary code through multiple stack buffer overflows and command injection flaws. This affects numerous IoT devices and routers from various manufacturers that use the vulnerable Realtek SDK.

💻 Affected Systems

Products:
  • Various IoT devices, routers, and access points using Realtek Jungle SDK
Versions: Realtek Jungle SDK v2.x up to v3.4.14B
Operating Systems: Embedded Linux systems
Default Config Vulnerable: ⚠️ Yes
Notes: Impact varies by vendor implementation - some add authentication, some modify features, but core vulnerabilities remain exploitable.

📦 What is this software?

Rtl819x Jungle Software Development Kit by Realtek

View all CVEs affecting Rtl819x Jungle Software Development Kit →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote unauthenticated attacker gains full control of affected device, enabling persistent access, network pivoting, and deployment of malware/botnets.

🟠

Likely Case

Remote code execution leading to device compromise, credential theft, and lateral movement within networks containing vulnerable devices.

🟢

If Mitigated

Limited impact if devices are behind firewalls with strict inbound rules and network segmentation prevents lateral movement.

🌐 Internet-Facing: HIGH - Web management interface is typically exposed, and exploitation requires no authentication.
🏢 Internal Only: HIGH - Even internally, vulnerable devices can be exploited for lateral movement and privilege escalation.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Multiple exploitation vectors documented in advisories with proof-of-concept details available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Realtek Jungle SDK v3.4.14C and later

Vendor Advisory: https://www.realtek.com/images/safe-report/Realtek_APRouter_SDK_Advisory-CVE-2021-35392_35395.pdf

Restart Required: Yes

Instructions:

1. Contact device manufacturer for firmware updates. 2. Apply vendor-provided patches. 3. Reboot affected devices after patching.

🔧 Temporary Workarounds

Disable web management interface

all

Disable the vulnerable web server if not required for operations

Device-specific - consult vendor documentation

Network access restrictions

linux

Restrict access to management interface using firewall rules

iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP

🧯 If You Can't Patch

  • Isolate affected devices in separate network segments with strict firewall rules
  • Implement network monitoring for exploitation attempts and anomalous device behavior

🔍 How to Verify

Check if Vulnerable:

Check device firmware version against vendor advisories. Use vulnerability scanners to detect exposed Realtek management interfaces.

Check Version:

Device-specific - typically via web interface or SSH command line (varies by vendor)

Verify Fix Applied:

Verify firmware version is updated beyond v3.4.14B. Test management interface for buffer overflow vulnerabilities.

📡 Detection & Monitoring

Log Indicators:

  • Unusual HTTP requests to management endpoints
  • Multiple failed buffer overflow attempts
  • Unexpected process execution or system commands

Network Indicators:

  • HTTP requests with long parameters to /goform endpoints
  • Traffic patterns indicating exploitation attempts

SIEM Query:

source="web_server" AND (url="*goform*" AND (param_length>100 OR contains(param,";")))

📊 Metadata

CVE ID: CVE-2021-35395
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Published: August 16, 2021
Last Updated: November 7, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON