CVE-2021-35395

What is the Realtek AP-Router SDK?

Realtek Semiconductor produces the RTL8xxx series of wireless networking chipsets used in countless consumer and enterprise routers, access points, and IoT devices. The Realtek AP-Router SDK provides the software stack that OEM manufacturers integrate into their products. Because a single SDK vulnerability affects all devices built on that SDK — from dozens of OEM brands — SDK vulnerabilities represent supply-chain-level security failures. This CVE affects devices from manufacturers including Asus, Belkin, D-Link, Netgear, Tenda, and others. See also CVE-2021-35394 for the companion Jungle SDK RCE vulnerability.

Overview

CVE-2021-35395 is a buffer overflow vulnerability in the boa HTTP web server included with the Realtek AP-Router SDK. The boa web server processes form submissions and HTTP parameters without adequate length validation. An unauthenticated remote attacker can send an HTTP request with an overly long parameter value to trigger a stack buffer overflow, potentially achieving code execution with root privileges on the affected device. IoT Inspector Research Lab discovered this vulnerability alongside CVE-2021-35394 in the same SDK audit. Mirai botnet variants incorporated both Realtek SDK vulnerabilities for mass device recruitment.

Affected Versions

Technical Details

The boa web server (a lightweight single-threaded HTTP server widely used in embedded devices) in the Realtek AP-Router SDK processes HTTP form submissions. When form parameters are copied into fixed-size stack buffers without bounds checking, overly long attacker-supplied values overflow those buffers:

• Root cause: Stack buffer overflow (CWE-121) — form parameter values are copied into fixed-size buffers using unsafe string operations like strcpy() without length validation
• Vulnerable operations: Certain form processing endpoints in the boa-based router admin interface, including network configuration and device setup forms
• Authentication required: None — the vulnerable endpoints are accessible without authentication on many devices
• Code execution: With control over the stack, an attacker can redirect execution via return address overwrite or ROP chains
• Context: Code runs as root on the router's embedded Linux OS

Discovery

Discovered by IoT Inspector Research Lab (same research team as CVE-2021-35394). The vulnerabilities were disclosed to Realtek and relevant OEMs before public publication.

Exploitation Context

Mirai botnet variants rapidly incorporated the Realtek SDK vulnerabilities after public disclosure. Millions of routers and access points based on Realtek chipsets are internet-accessible with their admin web interfaces exposed. The long-tail exploitation of embedded device vulnerabilities means these routers continue to be recruited into botnets years after the initial patch release, as many OEM manufacturers delay or never release firmware updates.

Remediation

1. Check for firmware updates from your specific router manufacturer that address Realtek AP-Router SDK vulnerabilities
2. If no patch is available, restrict access to the router's web management interface to internal LAN-only access — disable remote management (WAN-side HTTP/HTTPS access)
3. Change default administrative credentials
4. Consider replacing EOL devices that will not receive firmware updates
5. Monitor router network behavior for signs of botnet activity (unusual outbound connections, high bandwidth usage)