CVE-2021-35402
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary operating system commands on PROLiNK PRC2402M routers by injecting shell metacharacters into the 'ip' parameter of the live_api.cgi endpoint. Attackers can achieve full system compromise without authentication. All users running affected firmware versions are vulnerable.
💻 Affected Systems
- PROLiNK PRC2402M
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system takeover with root privileges, allowing installation of persistent backdoors, data exfiltration, and use as pivot point for internal network attacks.
Likely Case
Remote code execution leading to router compromise, credential theft, DNS hijacking, and participation in botnets.
If Mitigated
Limited impact if network segmentation isolates routers and external access is blocked.
🎯 Exploit Status
The exploit requires simple HTTP requests with command injection payloads. Public proof-of-concept code exists in the advisory.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Firmware dated 2021-06-13 or later
Vendor Advisory: Not provided in references
Restart Required: Yes
Instructions:
1. Download latest firmware from PROLiNK support site. 2. Log into router admin interface. 3. Navigate to firmware update section. 4. Upload and apply new firmware. 5. Reboot router after update completes.
🔧 Temporary Workarounds
Block External Access
linuxPrevent internet access to router admin interface using firewall rules
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP
Disable CGI Endpoint
linuxRemove or restrict access to vulnerable live_api.cgi endpoint
chmod 000 /www/cgi-bin/live_api.cgi
🧯 If You Can't Patch
- Isolate router on separate VLAN with strict firewall rules blocking all unnecessary traffic
- Implement network-based intrusion detection to monitor for exploitation attempts
🔍 How to Verify
Check if Vulnerable:
Check firmware version in router admin interface under System Status or About page. If date is before 2021-06-13, system is vulnerable.Check Version:
curl -s http://router-ip/ | grep -i firmware || ssh admin@router 'cat /etc/version'Verify Fix Applied:
Confirm firmware version shows 2021-06-13 or later date. Test endpoint with safe payload like 'ip=127.0.0.1;echo test' should not execute commands.📡 Detection & Monitoring
Log Indicators:
- HTTP requests to /cgi-bin/live_api.cgi with shell metacharacters in parameters
- Unusual process execution from web server user
Network Indicators:
- HTTP POST/GET requests containing semicolons, pipes, backticks, or dollar signs in URL parameters
- Unexpected outbound connections from router
SIEM Query:
source="router_logs" AND url="*live_api.cgi*" AND (url="*;*" OR url="*`*" OR url="*$(*" OR url="*|*")