{"api_version":"1","generated_at":"2026-04-23T09:53:11+00:00","cve":"CVE-2021-35394","urls":{"html":"https://cve.report/CVE-2021-35394","api":"https://cve.report/api/cve/CVE-2021-35394.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2021-35394","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2021-35394"},"summary":{"title":"CVE-2021-35394","description":"Realtek Jungle SDK version v2.x up to v3.4.14B provides a diagnostic tool called 'MP Daemon' that is usually compiled as 'UDPServer' binary. The binary is affected by multiple memory corruption vulnerabilities and an arbitrary command injection vulnerability that can be exploited by remote unauthenticated attackers.","state":"PUBLIC","assigner":"cve@mitre.org","published_at":"2021-08-16 12:15:00","updated_at":"2023-08-08 14:21:00"},"problem_types":["NVD-CWE-Other"],"metrics":[],"references":[{"url":"https://www.realtek.com/en/cu-1-en/cu-1-taiwan-en","name":"https://www.realtek.com/en/cu-1-en/cu-1-taiwan-en","refsource":"MISC","tags":[],"title":"Taiwan Headquarters - REALTEK","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.realtek.com/images/safe-report/Realtek_APRouter_SDK_Advisory-CVE-2021-35392_35395.pdf","name":"https://www.realtek.com/images/safe-report/Realtek_APRouter_SDK_Advisory-CVE-2021-35392_35395.pdf","refsource":"MISC","tags":[],"title":"","mime":"application/pdf","httpstatus":"200","archivestatus":"404"},{"url":"https://www.securityfocus.com/archive/1/534765","name":"https://www.securityfocus.com/archive/1/534765","refsource":"MISC","tags":[],"title":"SecurityFocus","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.iot-inspector.com/blog/advisory-multiple-issues-realtek-sdk-iot-supply-chain","name":"https://www.iot-inspector.com/blog/advisory-multiple-issues-realtek-sdk-iot-supply-chain","refsource":"MISC","tags":[],"title":"Advisory: Multiple Issues in Realtek SDK Affects Hundreds of Thousands of Devices Down the Supply Chain - IoT Inspector","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2021-35394","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-35394","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2021","cve_id":"35394","vulnerable":"1","versionEndIncluding":"3.4.14b","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"realtek","cpe5":"realtek_jungle_sdk","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":{"cve_year":"2021","cve_id":"35394","cve":"CVE-2021-35394","vendorProject":"Realtek","product":"Jungle Software Development Kit (SDK)","vulnerabilityName":"Realtek Jungle SDK Remote Code Execution Vulnerability","dateAdded":"2021-12-10","shortDescription":"RealTek Jungle SDK contains multiple memory corruption vulnerabilities which can allow an attacker to perform remote code execution.","requiredAction":"Apply updates per vendor instructions.","dueDate":"2021-12-24","knownRansomwareCampaignUse":"Unknown","notes":"https://nvd.nist.gov/vuln/detail/CVE-2021-35394","cwes":"CWE-78,CWE-138","catalogVersion":"2026.04.22","updated_at":"2026-04-22 20:03:11"},"epss":{"cve_year":"2021","cve_id":"35394","cve":"CVE-2021-35394","epss":"0.942200000","percentile":"0.999260000","score_date":"2026-04-22","updated_at":"2026-04-23 00:03:16"},"legacy_qids":[{"cve":"CVE-2021-35394","qid":"731298","title":"Realtek Jungle Software Development Kit (SDK) Command Injection Vulnerability"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2021-35394","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"Realtek Jungle SDK version v2.x up to v3.4.14B provides a diagnostic tool called 'MP Daemon' that is usually compiled as 'UDPServer' binary. The binary is affected by multiple memory corruption vulnerabilities and an arbitrary command injection vulnerability that can be exploited by remote unauthenticated attackers."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"url":"https://www.securityfocus.com/archive/1/534765","refsource":"MISC","name":"https://www.securityfocus.com/archive/1/534765"},{"refsource":"MISC","name":"https://www.realtek.com/en/cu-1-en/cu-1-taiwan-en","url":"https://www.realtek.com/en/cu-1-en/cu-1-taiwan-en"},{"refsource":"MISC","name":"https://www.realtek.com/images/safe-report/Realtek_APRouter_SDK_Advisory-CVE-2021-35392_35395.pdf","url":"https://www.realtek.com/images/safe-report/Realtek_APRouter_SDK_Advisory-CVE-2021-35392_35395.pdf"},{"refsource":"MISC","name":"https://www.iot-inspector.com/blog/advisory-multiple-issues-realtek-sdk-iot-supply-chain","url":"https://www.iot-inspector.com/blog/advisory-multiple-issues-realtek-sdk-iot-supply-chain"}]}},"nvd":{"publishedDate":"2021-08-16 12:15:00","lastModifiedDate":"2023-08-08 14:21:00","problem_types":["NVD-CWE-Other"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL"},"exploitabilityScore":3.9,"impactScore":5.9},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:C/I:C/A:C","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"COMPLETE","integrityImpact":"COMPLETE","availabilityImpact":"COMPLETE","baseScore":10},"severity":"HIGH","exploitabilityScore":10,"impactScore":10,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:realtek:realtek_jungle_sdk:*:*:*:*:*:*:*:*","versionStartIncluding":"2.0","versionEndIncluding":"3.4.14b","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2021","CveId":"35394","Ordinal":"210886","Title":"CVE-2021-35394","CVE":"CVE-2021-35394","Year":"2021"},"notes":[{"CveYear":"2021","CveId":"35394","Ordinal":"1","NoteData":"Realtek Jungle SDK version v2.x up to v3.4.14B provides a diagnostic tool called 'MP Daemon' that is usually compiled as 'UDPServer' binary. The binary is affected by multiple memory corruption vulnerabilities and an arbitrary command injection vulnerability that can be exploited by remote unauthenticated attackers.","Type":"Description","Title":null},{"CveYear":"2021","CveId":"35394","Ordinal":"2","NoteData":"2021-08-16","Type":"Other","Title":"Published"},{"CveYear":"2021","CveId":"35394","Ordinal":"3","NoteData":"2021-08-16","Type":"Other","Title":"Modified"}]}}}