CVE-2021-35402 Overview
CVE-2021-35402 is a critical OS command injection vulnerability affecting PROLiNK PRC2402M wireless routers running firmware version 20190909 prior to the June 2021 security update. The vulnerability exists in the live_api.cgi script, specifically in the satellite_list page functionality. Attackers can inject arbitrary shell metacharacters through the ip parameter used by the satellite_status function, enabling unauthenticated remote command execution on the underlying operating system.
Critical Impact
This vulnerability allows unauthenticated remote attackers to execute arbitrary operating system commands with root privileges on affected PROLiNK routers via network-accessible CGI endpoints, potentially leading to complete device compromise.
Affected Products
- PROLiNK PRC2402M firmware version 20190909
- PROLiNK PRC2402M devices running firmware prior to 2021-06-13 security update
Discovery Timeline
- 2026-02-20 - CVE-2021-35402 published to NVD
- 2026-02-23 - Last updated in NVD database
Technical Details for CVE-2021-35402
Vulnerability Analysis
This command injection vulnerability (CWE-78) stems from improper neutralization of special elements used in an OS command. The affected live_api.cgi script fails to properly sanitize user-supplied input in the ip parameter when processing requests to the satellite_list page. When the satellite_status function is invoked, the unsanitized ip parameter value is passed directly to a shell command, allowing attackers to break out of the intended command context using shell metacharacters such as semicolons (;), pipes (|), backticks (`), or command substitution syntax ($()).
The vulnerability is particularly severe because it requires no authentication and is accessible over the network. Embedded devices like the PROLiNK PRC2402M typically run with elevated privileges, meaning successful exploitation grants attackers root-level access to execute arbitrary commands on the device.
Root Cause
The root cause of this vulnerability is insufficient input validation and sanitization in the CGI handler. The live_api.cgi script directly incorporates user-controlled input from the ip parameter into shell commands without proper escaping or validation. This design flaw allows shell metacharacters to be interpreted by the underlying operating system shell, breaking the intended command structure and enabling command chaining or injection.
Attack Vector
The attack is executed remotely over the network by sending a crafted HTTP request to the vulnerable CGI endpoint. An attacker constructs a malicious request to live_api.cgi?page=satellite_list with shell metacharacters embedded in the ip parameter. When the router processes this request through the satellite_status function, the injected commands execute with the privileges of the web server process, which typically runs as root on embedded devices.
For example, an attacker could append commands using semicolons or use backtick command substitution to execute arbitrary payloads. The exploitation requires only network access to the device's web interface, with no authentication credentials needed. Technical details and proof-of-concept information can be found in the Star Labs Security Advisory.
Detection Methods for CVE-2021-35402
Indicators of Compromise
- Unusual HTTP requests to live_api.cgi containing shell metacharacters (;, |, `, $()) in query parameters
- Web server logs showing requests to /live_api.cgi?page=satellite_list with suspicious ip parameter values
- Unexpected outbound network connections from the router to external hosts
- Presence of unauthorized files or processes on the device
- Unexplained configuration changes or new user accounts on the router
Detection Strategies
- Monitor HTTP traffic to embedded devices for requests containing known command injection patterns targeting live_api.cgi
- Implement network-based intrusion detection rules to flag CGI requests with shell metacharacters in parameters
- Deploy web application firewalls (WAF) rules to block requests with command injection payloads targeting the ip parameter
- Conduct regular firmware version audits to identify devices running vulnerable firmware versions
Monitoring Recommendations
- Enable and review web server access logs on the PROLiNK device if available
- Implement network traffic analysis for anomalous patterns targeting IoT/router management interfaces
- Set up alerts for unexpected DNS queries or outbound connections originating from network infrastructure devices
- Periodically scan the network for devices running outdated PROLiNK firmware
How to Mitigate CVE-2021-35402
Immediate Actions Required
- Update PROLiNK PRC2402M firmware to the version released on or after 2021-06-13
- Restrict network access to the router's web management interface using firewall rules
- Disable remote management functionality if not required
- Isolate affected devices on a separate network segment until patching is complete
- Monitor device logs for any signs of exploitation attempts
Patch Information
PROLiNK addressed this vulnerability in a firmware update released on 2021-06-13. Device owners should obtain the latest firmware from PROLiNK's official support channels and apply the update immediately. Additional technical details are available in the Star Labs Security Advisory.
Workarounds
- Restrict access to the web management interface by configuring firewall rules to allow connections only from trusted IP addresses
- Disable the live_api.cgi endpoint if the satellite status functionality is not required (note: this may impact device functionality)
- Place the device behind a network firewall that blocks external access to the management interface
- Implement network-level filtering to detect and block requests containing shell metacharacters targeting CGI endpoints
Firewall rules should be implemented at the network perimeter to restrict access to management interfaces. Consult your network firewall documentation for specific configuration syntax to limit access to the router's web interface to authorized administrative IP addresses only.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
