24 August 2021

Hackers rush to exploit recently disclosed Realtek SDK vulnerabilities


Hackers rush to exploit recently disclosed Realtek SDK vulnerabilities

Researchers at cybersecurity company SAM are warning of hackers attempting to exploit a recent set of dangerous vulnerabilities in Realtek SDK that came to light earlier this month.

Tracked as CVE-2021-35392, CVE-2021-35393, CVE-2021-35394 and CVE-2021-35395, the critical flaws reside in Realtek chipsets used in hundreds of thousands of smart devices from at least 65 vendors, including Asus, Belkin, D-Link, Netgear, Tenda, ZTE, and Zyxel to name a few. The affected devices are ranging from residential gateways and travel routers to Wi-Fi repeaters, IP cameras, and smart lightning gateways or connected toys, according to security firm IoT Inspector that first disclosed the flaws.

By exploiting above vulnerabilities, remote unauthenticated attackers can fully compromise the target device and execute arbitrary code with the highest level of privilege.

Just mere days after the details of the vulnerabilities were made public, SAM researchers noticed that one of the flaws (CVE-2021-35395) has been exploited in the wild to spread a Mirai variant - the same variant spotted in March by Palo Alto Networks.

“Specifically, we noticed exploit attempts to “formWsc” and “formSysCmd” web pages. The exploit attempts to deploy a Mirai variant detected in March by Palo Alto Networks,” the researchers said.

“A similar incident was reported two weeks ago, on August 6th, by Juniper Networks [5]. A newly discovered vulnerability was then exploited in the wild only 2 days after publication to spread the same Mirai variant… The webserver serving the Mirai botnet uses the same network subnet, indicating that the same attacker is involved in both incidents.”

The SAM research team said that based on their own analysis, the most common device models currently running the vulnerable Realtek SDK include the following:

  • Netis E1+ extender

  • Edimax N150 and N300 Wi-Fi router

  • Repotec RP-WR5444 router

The researchers provided full attack details, as well as Indicators of Compromise (IOCs) in their blog post.


Back to the list

Latest Posts

Cyber security week in review: July 1, 2022

Cyber security week in review: July 1, 2022

The cyber security world in brief: RansomHouse extortion group added AMD to its victims list, publishing giant Macmillan suffered a ransomware attack, and more.
1 July 2022
RansomHouse extortion group claims to steal 450 GB of data from AMD

RansomHouse extortion group claims to steal 450 GB of data from AMD

On June 27, 2022, RansomHouse added AMD to their data leak site, thereby AMD launched an investigation.
29 June 2022
APT group used ProxyLogon vulnerability to hack building automation systems

APT group used ProxyLogon vulnerability to hack building automation systems

Chinese-speaking threat actor used Microsoft Exchange vulnerability to gain initial access to victims’ networks.
28 June 2022