Go to listing page

Mirai Botnet Variant Targeting Vulnerabilities in Realtek Devices

Mirai Botnet Variant Targeting Vulnerabilities in Realtek Devices
Mirai-based botnet actors have been found abusing multiple security flaws in software that are used by 65 network equipment vendors. The attackers are abusing command injection vulnerabilities that were spotted in Realtek chipsets a few days ago.

What's new?

Researchers from SAM Seamless Network have identified that within 48 hours of disclosure, the vulnerabilities in Realtek devices were being exploited in the wild. These serious security flaws exist in Software Development Kits (SDK) of devices.
  • One of the critical security flaws tracked as CVE-2021-35395 impacts smart lightning gateways, IP cameras, travel routers, Wi-Fi repeaters, and smart toys.
  • The bug impacts the management web interface of the devices giving attacks remotely access to scan and run an arbitrary code on flawed devices.
  • The most common network devices using faulty Realtek SDK targeted by Mirai-based botnets are found to be Edimax N150, Netis E1+ extender, N300 Wi-Fi routers, and Repotec RP-WR5444 router. 

Furthermore, Realtek has released an advisory on CVE-2021-35392, CVE-2021-35393, CVE-2021-35394, and CVE-2021-35395, which are rated more than 8.1 on the severity rating.

All in a few days

On August 13, Realtek had released a patched version of the exposed SDK. 
  • On August 16, IoT Inspector Research Lab released a security advisory disclosing multiple Realtek vulnerabilities. This left a very small window of time to patch vulnerable devices.
  • Later, it was spotted that the Mirai botnet had started looking for unpatched devices for CVE-2021-35395 on August 18, just two days after the vulnerability was disclosed in public.

Mirai is on fire

Juniper Threat Labs researchers disclosed that the attackers behind the Mirai strain are already active and have been targeting network/IoT devices since February. The attacker behind the new variant had updated their scanners two weeks ago to abuse the critical authentication bypass vulnerability (CVE-2021-20090) affecting millions of home routers with Arcadyan firmware.


Recent developments show how quickly and actively cybercriminals attempt to cash in on any opportunity that arises. Moreover, such vulnerabilities are easy to abuse and can be embedded inside malware code. Therefore, vulnerable device users are recommended to apply patches as soon as possible.

Cyware Publisher