CVE-2021-35402
Received Received - Intake
OS Command Injection in PROLiNK PRC2402M satellite_list Parameter

Publication date: 2026-02-20

Last updated on: 2026-02-20

Assigner: MITRE

Description
PROLiNK PRC2402M 20190909 before 2021-06-13 allows live_api.cgi?page=satellite_list OS command injection via shell metacharacters in the ip parameter (for satellite_status).
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-20
Last Modified
2026-02-20
Generated
2026-06-16
AI Q&A
2026-02-20
EPSS Evaluated
2026-06-15
NVD
CVE-2021-35402
EUVD
EUVD-2021-22045
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
prolink prc2402m to 2021-06-13 (exc)
prolink prc2402m 20190909
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2021-35402 is an unauthenticated OS command injection vulnerability in the Prolink PRC2402M router. It occurs in the live_api.cgi script, specifically in the satellite_list functionality, where the "ip" parameter from an HTTP GET request is used without validation in a system command executed as root.'}, {'type': 'paragraph', 'content': 'Because the input is not sanitized, an attacker can inject arbitrary shell commands through the "ip" parameter, leading to remote code execution with root privileges on the device.'}, {'type': 'paragraph', 'content': 'Exploitation involves sending a specially crafted GET request to the live_api.cgi script with malicious shell commands embedded in the "ip" parameter.'}] [1]

Impact Analysis

This vulnerability allows an attacker to execute arbitrary commands on the affected router with root privileges without authentication.

The impact includes full compromise of the device, allowing the attacker to control the router, intercept or manipulate network traffic, install malware, or use the device as a pivot point for further attacks.

Given the CVSS score of 10.0, this is a critical vulnerability with high confidentiality, integrity, and availability impacts.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by testing the live_api.cgi endpoint for command injection via the ip parameter in the satellite_list page.'}, {'type': 'paragraph', 'content': 'A practical detection method is to send a specially crafted HTTP GET request to the vulnerable endpoint and observe if arbitrary commands are executed.'}, {'type': 'paragraph', 'content': 'For example, using curl to test the injection:'}, {'type': 'list_item', 'content': "curl 'http://<target-ip>/cgi-bin/live_api.cgi?page=satellite_list&ip=$(echo%20test_injection%3E/tmp/testfile)&id=1'"}, {'type': 'paragraph', 'content': 'If the file /tmp/testfile is created on the device, it confirms the command injection vulnerability.'}] [1]

Mitigation Strategies

Immediate mitigation steps include applying the official patch released by Prolink by June 13, 2021, which fixes the command injection vulnerability.

If patching is not immediately possible, restrict access to the live_api.cgi endpoint to trusted networks only to prevent exploitation.

Additionally, monitor network traffic for suspicious requests targeting the satellite_list page with unusual ip parameter values.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2021-35402. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart