Security Experts:

Connect with us

Hi, what are you looking for?



Realtek SDK Vulnerabilities Exploited in Attacks Days After Disclosure

Researchers noticed that threat actors started exploiting Realtek SDK vulnerabilities shortly after their details were made public.

Researchers noticed that threat actors started exploiting Realtek SDK vulnerabilities shortly after their details were made public.

Realtek informed customers about the flaws and the availability of patches in an advisory published on August 15. The next day, details were disclosed by firmware security company IoT Inspector, whose researchers discovered the vulnerabilities.

SAM Seamless Network, a company that specializes in home network security, noticed on August 18 that hackers had already started exploiting some of the vulnerabilities in the wild.

IoT Inspector researchers identified more than a dozen vulnerabilities in the SDKs provided by Realtek to companies that use its RTL8xxx chips. Some of the security holes can be exploited by a remote, unauthenticated attacker to take complete control of a targeted device.

IoT inspector identified nearly 200 unique types of affected devices from a total of 65 different vendors, including routers, IP cameras, Wi-Fi repeaters and residential gateways from companies such as ASUS, Belkin, D-Link, Huawei, LG, Logitech, Netgear, ZTE and Zyxel.

The firm estimated that there could be as many as one million systems that are exposed to remote attacks due to these vulnerabilities.

Four CVE identifiers have been assigned to the flaws: CVE-2021-35392, CVE-2021-35393, CVE-2021-35394 and CVE-2021-35395. According to SAM, CVE-2021-35395, which comprises six different bugs, has been exploited in the wild to deliver a variant of the Mirai IoT malware.

The malware appears to be a Mirai variant detailed by Palo Alto Networks in March. The cybersecurity firm warned at the time that the botnet powered by this malware had been exploiting 10 different vulnerabilities in an effort to hijack IoT devices, and noted that new exploits were sometimes added within hours after a flaw was disclosed.

Earlier this month, Juniper Networks started seeing attempts to exploit CVE-2021-20090, a vulnerability that affects at least 20 vendors that provide routers running firmware made by Arcadyan, a Taiwan-based provider of networking solutions. Attacks exploiting CVE-2021-20090 were also spotted just days after the security hole was made public, and those attacks have also been linked to the same Mirai variant.

“According to SAM’s own research of connected devices, based on anonymously collected network data spanning more than 2M home and business networks, the following devices are the most common devices with the Realtek SDK: Netis E1+ extender, Edimax N150 and N300 Wi-Fi router, Repotec RP-WR5444 router,” SAM said in a blog post last week. “These devices are used mainly to enhance Wi-Fi reception.”

The company has made available indicators of compromise (IOCs) for the attacks it has observed.

Related: New Mirai Variant Delivered to Zyxel NAS Devices Via Recently Patched Flaw

Related: New ‘Gucci’ IoT Botnet Targets Europe

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.