Overview
A critical remote code execution vulnerability exists in Realtek SDK's miniigd UPnP/SOAP service. The vulnerability allows unauthenticated remote attackers to execute arbitrary code by sending specially crafted NewInternalClient SOAP requests. This vulnerability has been extensively exploited in the wild and is used by multiple malware families including Mirai botnet variants. The vulnerability was disclosed on May 1, 2015. CISA has identified CVE-2014-8361 as being exploited but is not currently known to be used in ransomware campaigns.
Technical details
The miniigd (Minimal IGD/Internet Gateway Device) SOAP service in Realtek SDK fails to properly validate input parameters in SOAP NewInternalClient requests. The vulnerability exists in the UPnP/SOAP interface, which is commonly exposed on port 5000/TCP and other alternative ports on affected routers. The flaw allows attackers to execute arbitrary shell commands by injecting commands into specific SOAP request parameters, particularly in parameters that are processed without adequate sanitization before being passed to shell execution functions.
The vulnerability is classified as CWE-78 (Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')) andCWE-94 (Improper Control of Generation of Code ('Code Injection')) .
The vulnerability has received a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating its critical nature.
Impact
Successful exploitation allows complete compromise of affected routers and embedded devices. Attackers can: (1) Execute arbitrary commands with root privileges, (2) Install malware or botnet agents (Mirai, Hajime, etc.), (3) Turn the device into a botnet node for DDoS attacks, (4) Harvest credentials and sensitive data from the device, (5) Pivot to internal network resources, (6) Modify firmware or persistent configurations, (7) Disrupt network services and connectivity. This vulnerability has been extensively leveraged in real-world attacks, particularly for IoT botnet recruitment. Devices remain vulnerable even if fully patched at the application level, as the vulnerability is in the underlying SDK.
Mitigation and workarounds
As temporary workarounds: disable upnp/miniigd service if not required. access router administration interface and disable upnp functionality in settings. this completely prevents exploitation of this specific vulnerability.; restrict network access to the upnp/miniigd service (typically port 5000/tcp) using firewall rules. block inbound connections to upnp ports from untrusted networks.; isolate vulnerable iot devices on a separate network segment with restricted access to the main network and internet.; keep devices behind a firewall that blocks or restricts upnp traffic from external networks., and replace affected routers/devices with newer models that have been updated with patched sdk versions or have upnp disabled by default..
CISA's recommendation: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Additional resources
Source: This report was generated using AI
