Realtek-based routers, smart devices are being gobbled up by a voracious botnet

Realtek-based routers, smart devices are being gobbled up by a voracious botnet

A few weeks ago we blogged about a vulnerability in home routers that was weaponized by the Mirai botnet just two days after disclosure. Mirai hoovers up vulnerable Internet of Things (IoT) devices and adds them to its network of zombie devices, which can then be used to launch huge Distributed Denial of Service (DDoS) attacks.

Last time it was a vulnerability in the Arcadyan firmware found in devices distributed by some of today’s biggest router vendors and internet service providers, such as ASUS, Orange, Vodafone, Telstra, Verizon, Deutsche Telekom, and British Telecom.

A similar situation is going on right now with routers and Wi-Fi amplifiers that are built on the Realtek RTL819xD chipset. Realtek chipsets are found in many embedded IoT devices. At least 65 vendors are affected. The vulnerabilities enable unauthenticated attackers to fully compromise the target device and execute arbitrary code with the highest level of privilege. Exactly what Mirai wants.


The vulnerabilities were found and disclosed by IoT Inspector, a platform for automated security analysis of IoT firmware. In total they identified more than a dozen vulnerabilities, but one of them (CVE-2021-35395) has already been found to be actively exploited in in the wild.

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). The description of CVE-2021-35395 contains a pretty dense explanation, but it boils down as follows.

There are two types of a management interfaces that can accessed over the Internet. Both of them are vulnerable to multiple stack buffer overflows due to “unsafe” copying of parameters, and two separate arbitrary command injection problems, again stemming from the apparently unsafe handling of parameters. These allow an attacker to run arbitrary commands on the vulnerable device.

For anyone unfamiliar with web programming, this implies that the code behind these Internet-exposed management interfaces are failing to perform the most basic security hygiene.

The description ends:

Some vendors use [the management interface] as-is, others add their own authentication implementation, some kept all the features from the server, some remove some of them, some inserted their own set of features. However, given that Realtek SDK implementation is full of insecure calls and that developers tends to re-use those examples in their custom code, any binary based on Realtek SDK web server will probably contain its own set of issues on top of the Realtek ones…

In other words, how vulnerable your device is may depend on whether, and how well, the vendor added their own authentication methods, but vendors may well have added more problems.

Same botnet, same operator?

With all the similarities in the vulnerabilities and the speed with which they are being exploited after disclosure, it will not come as a total surprise that the botnet that is actively going after these vulnerable devices is Mirai. Mirai is the name of the malware behind one of the most active and well-known IoT botnets. After the source code of the original Mirai botnet was leaked, it was quickly replicated by other cybercriminals, so there are now several independent operators each running their own Mirai-based botnets.

Researchers at SAM Seamless Network were able to establish that the web server serving the Mirai botnet behind these attacks uses the same network subnet seen by Unit 42 in March of 2021, indicating that the same attacker was behind those incidents. Due to the similarity in scripts it was assumed that the same actor was behind the exploitation of the vulnerability listed under CVE-2021-20090 which is present in the Arcadyan firmware.

It also stands to reason to assume this is the actor that was responsible for the largest DDoS attack recorded to date, just last week.


Realtek has since patched the vulnerabilities, but it will take a while for manufacturers who use their chipset to make the patches available to their customers. And again many of the owners of vulnerable devices are home users. They may have no idea whether their device is vulnerable and even if they do, they will likely need guidance to apply a firmware upgrade.

RealTek is a common chipset used for sound and Wi-Fi by many vendors such as ARRIS, ASUSTek, Belkin, Buffalo, D-Link, EnGenius, Huawei, LG, Logitec, NetGear, TRENDnet, and many more. I found a list of affected devices courtesy of Mainstream Technologies but this is only a partial list. Alongside its list, Mainstream Technologies warns that: “If your device is over 10 years old, it definitely will not get a patch. If it is over 5 years it probably will not get a patch”.

So even if your device is not on it, that doesn’t mean it’s not vulnerable. Any device that uses a Realtek RTL819D chipset is vulnerable and the bots scanning the internet for vulnerable devices will definitely be able to find them.

It is cases like these that could end up to be a deciding factor in the discussion whether vendors/governments/law enforcement should be allowed to patch vulnerable systems that do not belong to them or to the infrastructure they are responsible for.

Stay safe, everyone!


Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.