Home / Threat Intelligence bulletins / Millions of IoT devices vulnerable to remote vulnerabilities


Flaws have been reported in multiple IoT Software Development Kits (SDK). An SDK is a set of tools given to developers to enable them to add features to a product.


At least 65 different vendors’ products are vulnerable to issues with the SDK for Realtek’s RTL819xD chip, commonly used to provide WiFi capabilities.
The report by IoT Inspector Research Lab estimates that this would affect close to 1 million devices.

CVE-2021-35392 (‘WiFi Simple Config’ stack buffer overflow via UPnP)

CVE-2021-35393 (‘WiFi Simple Config’ heap buffer overflow via SSDP)

CVE-2021-35394 (MP Daemon diagnostic tool command injection)

CVE-2021-35395 (management web interface multiple vulnerabilities)


Separately, Mandiant researchers have released information on a vulnerability in ThroughTek’s Kalay P2P Network (CVE-2021-28372), potentially affecting 83 million devices.


Remote code execution could allow an attacker to take control of routers, smart devices, IP cameras or others. The number of services exposed to the internet could make this an attractive target for automated exploitation, as we’ve seen previously with the Mirai malware which is known to target IP cameras and home routers.

Affected Products

Due to the way SDKs are created and distributed, it can be difficult to get a full list of affected devices.

IoT Inspector provided a partial list, collected using the Shodan search engine, but this is unlikely to be all of them. The list is available in the appendix here.

Mandiant were not able to provide a list of affected devices.

Vulnerability Detection

IoT Inspector lists a few ways to assess if a device uses Realtek’s SDK:

  • the /etc/motd banner mentions rlx-linux. This should appear on console access through SSH/telnet or direct serial connection.
  • the hostname rlx-linux
  • /etc/versionmay list the Realtek SDK

Mandiant has not given details on detection or released any exploit code. Exploitation would require a lot of knowledge of the Kalay protocol.

Containment, Mitigations & Remediations

Where practical, IoT devices should not be exposed to the internet.
Devices should be kept up-to-date and unique, complex passwords should be used for anything with a remote login.

Indicators of Compromise

There are no published Indicators of Compromise (IoCs) available at this time. However, monitoring of network traffic for unusual patterns, inbound traffic and unauthorised access may identify attacks against equipment.

Threat Landscape

This comes as a new analysis by security company, Claroty, shows the first half of 2021 has seen an uptick of 41% in reported Industrial Control System vulnerabilities, including nearly 400 different remotely exploitable vulnerabilities in various devices.

These vulnerabilities, coupled with known threat actor behaviour, highlight the importance of understanding supply chains and how seemingly innocuous devices may be used to impact or intrude further into an organisation’s infrastructure.

Further Information

Advisory: Multiple Issues in Realtek SDK Affects Hundreds of Thousands of Devices Down the Supply Chain

Realtek AP-Router SDK Advisory

Mandiant Discloses Critical Vulnerability Affecting Millions of IoT Devices

ICS Advisory (ICSA-21-229-01)