The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2021-35393

CVE-2021-35393: Realtek Jungle SDK RCE Vulnerability

CVE-2021-35393 is a remote code execution vulnerability in Realtek Jungle SDK affecting the WiFi Simple Config server. Attackers can exploit a stack buffer overflow to execute arbitrary code. This article covers technical details.

Published: February 25, 2026

CVE-2021-35393 Overview

CVE-2021-35393 is a critical stack buffer overflow vulnerability affecting Realtek Jungle SDK versions v2.x through v3.4.14B. The vulnerability exists in the 'WiFi Simple Config' server component, which implements both UPnP and SSDP protocols. This binary is typically named wscd or mini_upnpd and serves as the successor to miniigd. The flaw enables remote unauthenticated attackers to achieve arbitrary code execution on affected devices through maliciously crafted network requests.

Critical Impact

Remote unauthenticated attackers can exploit unsafe parsing of UPnP SUBSCRIBE/UNSUBSCRIBE Callback headers to execute arbitrary code on vulnerable IoT devices, potentially leading to complete device compromise and network infiltration.

Affected Products

  • Realtek RTL819x Jungle Software Development Kit v2.x
  • Realtek RTL819x Jungle Software Development Kit versions up to v3.4.14B
  • IoT devices and routers built on the affected Realtek SDK

Discovery Timeline

  • August 16, 2021 - CVE-2021-35393 published to NVD
  • August 13, 2025 - Last updated in NVD database

Technical Details for CVE-2021-35393

Vulnerability Analysis

This vulnerability is classified as CWE-787 (Out-of-bounds Write), specifically manifesting as a stack buffer overflow condition. The flaw resides in the WiFi Simple Config server's handling of UPnP protocol messages. When the server processes SUBSCRIBE or UNSUBSCRIBE requests, it fails to properly validate the length of the Callback header before copying its contents to a stack-based buffer. This memory corruption vulnerability is particularly dangerous in embedded IoT devices where security mitigations such as ASLR and stack canaries may be absent or weakly implemented.

The network-accessible nature of this vulnerability, combined with no authentication requirements, makes it an attractive target for automated exploitation at scale. Devices running the vulnerable SDK are typically exposed on local networks and, in some configurations, may be accessible from the internet.

Root Cause

The root cause is improper input validation and unsafe memory handling in the UPnP SUBSCRIBE/UNSUBSCRIBE Callback header parsing routine within wscd or mini_upnpd. The code fails to perform adequate bounds checking before copying user-controlled data from the Callback header into a fixed-size stack buffer. When an attacker supplies a Callback header value exceeding the allocated buffer size, the overflow corrupts adjacent stack memory, potentially overwriting the return address and enabling control flow hijacking.

Attack Vector

The attack vector is network-based, requiring no authentication or user interaction. An attacker can exploit this vulnerability by:

  1. Sending a crafted UPnP SUBSCRIBE or UNSUBSCRIBE request to the target device
  2. Including a malicious Callback header with payload data exceeding buffer boundaries
  3. Overflowing the stack buffer to overwrite the return address
  4. Redirecting execution to attacker-controlled shellcode or ROP chain

The vulnerability can be exploited by any attacker with network access to the UPnP service, typically running on ports 1900 (SSDP) or 52881 (UPnP). Given the prevalence of Realtek SDKs in consumer routers and IoT devices, this creates a significant attack surface across millions of deployed devices.

Detection Methods for CVE-2021-35393

Indicators of Compromise

  • Unusual network traffic to UPnP ports (1900/UDP, 52881/TCP) with abnormally large Callback headers
  • Unexpected crashes or restarts of wscd or mini_upnpd processes
  • Signs of unauthorized access or configuration changes on affected devices
  • Presence of unknown binaries or persistence mechanisms on compromised devices

Detection Strategies

  • Deploy network intrusion detection rules to identify malformed UPnP SUBSCRIBE/UNSUBSCRIBE requests with oversized Callback headers
  • Monitor for anomalous process behavior on embedded devices, including unexpected child process spawning from wscd or mini_upnpd
  • Implement deep packet inspection at network boundaries to detect exploitation attempts targeting UPnP services

Monitoring Recommendations

  • Enable logging on network devices to capture UPnP traffic patterns for forensic analysis
  • Conduct regular firmware inventory assessments to identify devices running vulnerable Realtek SDK versions
  • Monitor outbound connections from IoT devices for potential command-and-control communication following compromise

How to Mitigate CVE-2021-35393

Immediate Actions Required

  • Identify all devices in your environment using Realtek Jungle SDK versions v2.x through v3.4.14B
  • Disable UPnP services on affected devices if not required for operation
  • Segment IoT devices onto isolated network VLANs with restricted access
  • Block external access to UPnP ports (1900/UDP, 52881/TCP) at the network perimeter

Patch Information

Realtek has released security advisories addressing this vulnerability. Affected organizations should consult the Realtek SDK Security Advisory for official patch information. Device manufacturers using the affected SDK should integrate the patched SDK version and release firmware updates for their products. End users should check with their device vendors for available firmware updates.

Additional technical details can be found in the IoT Inspector Security Advisory.

Workarounds

  • Disable UPnP functionality entirely on affected devices where feasible
  • Implement firewall rules to restrict access to UPnP services to trusted internal hosts only
  • Deploy network segmentation to isolate vulnerable IoT devices from critical network assets
  • Consider replacing end-of-life devices that will not receive vendor patches
bash
# Example firewall rules to block UPnP access (adjust for your environment)
# Block SSDP discovery traffic
iptables -A INPUT -p udp --dport 1900 -j DROP

# Block UPnP HTTP traffic
iptables -A INPUT -p tcp --dport 52881 -j DROP

# Allow only from trusted management subnet (example)
iptables -I INPUT -s 192.168.1.0/24 -p udp --dport 1900 -j ACCEPT

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeRCE
  • Vendor/TechRealtek
  • SeverityCRITICAL
  • CVSS Score9.8
  • EPSS Probability12.16%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityHigh
  • CWE References
  • CWE-787
  • Technical References
  • IoT Inspector Security Advisory
  • Vendor Resources
  • Realtek Company Profile
  • Realtek SDK Security Report
  • Related CVEs
  • CVE-2021-35394: Realtek Jungle SDK RCE Vulnerability
  • CVE-2021-35395: Realtek Jungle SDK RCE Vulnerability
  • CVE-2019-25345: Realtek IIS Codec Privilege Escalation
  • CVE-2020-36974: Realtek Andrea RT Filters Privilege Escalation
Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English