CVE-2021-35394

What is the Realtek Jungle SDK?

Realtek Semiconductor produces the WiFi and networking chipsets embedded in hundreds of millions of consumer and enterprise networking devices. The Realtek Jungle SDK (Software Development Kit) provides the software stack that device manufacturers integrate into their router and IoT products built on Realtek chipsets. Device brands including Asus, Belkin, D-Link, Edimax, Hama, Logitec, Netis, Sercomm, ZTE, and dozens of others have shipped products based on the Realtek Jungle SDK. Vulnerabilities in the SDK affect all of these devices simultaneously — creating a massive, difficult-to-patch attack surface across the consumer IoT ecosystem.

Overview

CVE-2021-35394 encompasses multiple memory corruption and command injection vulnerabilities in the Realtek Jungle SDK's UDPServer component — a diagnostic service process that listens on UDP ports. An unauthenticated attacker on the same network (or with internet access if the UDP port is exposed) can send specially crafted diagnostic packets to trigger buffer overflows, a NULL byte write primitive, or direct command injection, achieving root-level code execution on any device running the vulnerable SDK. IoT Inspector Research Lab discovered these vulnerabilities and disclosed them publicly in August 2021. Multiple Mirai botnet variants incorporated these vulnerabilities for mass device recruitment.

Affected Versions

Technical Details

The Realtek Jungle SDK includes a UDPServer process (also called mp_debug_server) that handles diagnostic commands sent via UDP. This process contains multiple vulnerabilities:

• Buffer overflow (CVE-2021-35394 primary): The UDPServer processes incoming diagnostic packets without adequate length validation — attacker-controlled packet data overflows stack or heap buffers, enabling arbitrary code execution
• NULL byte write: A specific packet type writes a NULL byte to an attacker-controlled memory address, providing a controlled write primitive
• Command injection: A diagnostic command type passes packet data directly to a system() call without sanitization, allowing direct shell command injection
• No authentication required: UDP diagnostic packets are processed without any authentication
• Attack reach: If the UDP port is exposed to WAN (many consumer router configurations inadvertently expose it), internet-accessible exploitation is possible

Discovery

Discovered by researchers at IoT Inspector Research Lab (Dr. Florian Lukavsky and team) during a systematic security audit of Realtek SDK-based devices. The research identified 14 affected OEM device families. IoT Inspector coordinated disclosure with Realtek but OEM patch delivery remains inconsistent.

Exploitation Context

Mirai botnet variants rapidly incorporated CVE-2021-35394 after public disclosure, scanning the internet for vulnerable Realtek-based devices and recruiting them into DDoS botnets. By 2022, researchers observed millions of exploitation attempts per month against devices using the Realtek Jungle SDK. The breadth of affected devices — spanning dozens of brands and millions of deployed units — makes this one of the most impactful SDK-level supply chain vulnerabilities in IoT history.

Remediation

1. Check for firmware updates from your specific router or IoT device manufacturer that address Realtek SDK vulnerabilities
2. If no patch is available: disable remote management (WAN-side access to the device's web interface and diagnostic ports)
3. Place the affected device behind an upstream router or firewall that blocks external access to UDP diagnostic ports
4. Consider replacing EOL devices that will never receive firmware updates addressing this vulnerability
5. Monitor for signs of device compromise: unexpected network traffic, changes to DNS settings, or unusual CPU usage
6. Network operators: deploy firewall rules blocking UDP traffic on common Realtek diagnostic ports (UDP 9034 and similar) at network boundaries