Security Experts:

Connect with us

Hi, what are you looking for?


Mobile & Wireless

Vulnerabilities in Realtek Wi-Fi Module Expose Many Devices to Remote Attacks

Major vulnerabilities in the Realtek RTL8195A Wi-Fi module expose embedded devices used in a myriad of industries to remote attacks, researchers with automated device security platform provider Vdoo reveal.

Major vulnerabilities in the Realtek RTL8195A Wi-Fi module expose embedded devices used in a myriad of industries to remote attacks, researchers with automated device security platform provider Vdoo reveal.

The low-power Wi-Fi module is designed for use in embedded devices, and is being used in a broad range of industries, including automotive, agriculture, energy, healthcare, industrial, and security.

The RTL8195A chip supports WEP, WPA and WPA2 authentication modes, and Vdoo discovered that the WPA2 handshake mechanism is prone to stack overflow and out-of-bounds read bugs.

Tracked as CVE-2020-9395, the most severe of the flaws is a remotely exploitable stack overflow that could lead to a complete takeover of the module and the device’s wireless communications. The vulnerability can be exploited by an attacker in the proximity of a vulnerable system, even if they don’t know the Wi-Fi network password (Pre-Shared-Key, or PSK).

Two other vulnerabilities (an out-of-bounds read and a stack-based buffer overflow) could also be exploited without knowing the network security key (the PMK, which is derived from the PSK), to execute code remotely or cause a denial of service (DoS) condition.

All of the remaining three vulnerabilities are stack-based buffer overflow issues that could lead to remote code execution, but exploitation requires for the attacker to know the network’s PSK. Thus, the use of a strong, private WPA2 passphrase should prevent exploitation of these bugs.

Realtek has published an advisory for CVE-2020-9395 only, revealing that RTL8711AM, RTL8711AF, and RTL8710AF modules are also vulnerable.

“An issue was discovered on Realtek RTL8195AM, RTL8711AM, RTL8711AF, and RTL8710AF devices before 2.0.6. A stack-based buffer overflow exists in the client code that takes care of WPA2’s 4-way-handshake via a malformed EAPOL-Key packet with a long keydata buffer,” Realtek explains.

According to Vdoo’s researchers, because no mitigating factors are in place, exploitation of this vulnerability is trivial. Exploitation is possible regardless of whether the victim is the client or the access point.

Vdoo says all of these vulnerabilities have been addressed in the latest version of Ameba Arduino (2.0.8 and above). Updated versions of the Ameba SDK are available on Realtek’s website.

Device versions built after March 3, 2020, are patched against CVE-2020-9395, while versions built after April 21, 2020 are completely patched against all issues.

Related: DLL Hijacking Vulnerability Found in Realtek HD Audio Driver

Related: Qualcomm, MediaTek Wi-Fi Chips Vulnerable to Kr00k-Like Attacks

Related: Vulnerabilities in Device Drivers From 20 Vendors Expose PCs to Persistent Malware

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet