Security Experts:

Connect with us

Hi, what are you looking for?



Realtek SDK Vulnerabilities Exploited in Attacks Days After Disclosure

Researchers noticed that threat actors started exploiting Realtek SDK vulnerabilities shortly after their details were made public.

Researchers noticed that threat actors started exploiting Realtek SDK vulnerabilities shortly after their details were made public.

Realtek informed customers about the flaws and the availability of patches in an advisory published on August 15. The next day, details were disclosed by firmware security company IoT Inspector, whose researchers discovered the vulnerabilities.

SAM Seamless Network, a company that specializes in home network security, noticed on August 18 that hackers had already started exploiting some of the vulnerabilities in the wild.

IoT Inspector researchers identified more than a dozen vulnerabilities in the SDKs provided by Realtek to companies that use its RTL8xxx chips. Some of the security holes can be exploited by a remote, unauthenticated attacker to take complete control of a targeted device.

IoT inspector identified nearly 200 unique types of affected devices from a total of 65 different vendors, including routers, IP cameras, Wi-Fi repeaters and residential gateways from companies such as ASUS, Belkin, D-Link, Huawei, LG, Logitech, Netgear, ZTE and Zyxel.

The firm estimated that there could be as many as one million systems that are exposed to remote attacks due to these vulnerabilities.

Four CVE identifiers have been assigned to the flaws: CVE-2021-35392, CVE-2021-35393, CVE-2021-35394 and CVE-2021-35395. According to SAM, CVE-2021-35395, which comprises six different bugs, has been exploited in the wild to deliver a variant of the Mirai IoT malware.

The malware appears to be a Mirai variant detailed by Palo Alto Networks in March. The cybersecurity firm warned at the time that the botnet powered by this malware had been exploiting 10 different vulnerabilities in an effort to hijack IoT devices, and noted that new exploits were sometimes added within hours after a flaw was disclosed.

Earlier this month, Juniper Networks started seeing attempts to exploit CVE-2021-20090, a vulnerability that affects at least 20 vendors that provide routers running firmware made by Arcadyan, a Taiwan-based provider of networking solutions. Attacks exploiting CVE-2021-20090 were also spotted just days after the security hole was made public, and those attacks have also been linked to the same Mirai variant.

“According to SAM’s own research of connected devices, based on anonymously collected network data spanning more than 2M home and business networks, the following devices are the most common devices with the Realtek SDK: Netis E1+ extender, Edimax N150 and N300 Wi-Fi router, Repotec RP-WR5444 router,” SAM said in a blog post last week. “These devices are used mainly to enhance Wi-Fi reception.”

The company has made available indicators of compromise (IOCs) for the attacks it has observed.

Related: New Mirai Variant Delivered to Zyxel NAS Devices Via Recently Patched Flaw

Related: New ‘Gucci’ IoT Botnet Targets Europe

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.