CVE-2021-35402
OS Command Injection in PROLiNK PRC2402M satellite_list Parameter
Publication date: 2026-02-20
Last updated on: 2026-02-20
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| prolink | prc2402m | to 2021-06-13 (exc) |
| prolink | prc2402m | 20190909 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2021-35402 is an unauthenticated OS command injection vulnerability in the Prolink PRC2402M router. It occurs in the live_api.cgi script, specifically in the satellite_list functionality, where the "ip" parameter from an HTTP GET request is used without validation in a system command executed as root.'}, {'type': 'paragraph', 'content': 'Because the input is not sanitized, an attacker can inject arbitrary shell commands through the "ip" parameter, leading to remote code execution with root privileges on the device.'}, {'type': 'paragraph', 'content': 'Exploitation involves sending a specially crafted GET request to the live_api.cgi script with malicious shell commands embedded in the "ip" parameter.'}] [1]
How can this vulnerability impact me? :
This vulnerability allows an attacker to execute arbitrary commands on the affected router with root privileges without authentication.
The impact includes full compromise of the device, allowing the attacker to control the router, intercept or manipulate network traffic, install malware, or use the device as a pivot point for further attacks.
Given the CVSS score of 10.0, this is a critical vulnerability with high confidentiality, integrity, and availability impacts.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by testing the live_api.cgi endpoint for command injection via the ip parameter in the satellite_list page.'}, {'type': 'paragraph', 'content': 'A practical detection method is to send a specially crafted HTTP GET request to the vulnerable endpoint and observe if arbitrary commands are executed.'}, {'type': 'paragraph', 'content': 'For example, using curl to test the injection:'}, {'type': 'list_item', 'content': "curl 'http://<target-ip>/cgi-bin/live_api.cgi?page=satellite_list&ip=$(echo%20test_injection%3E/tmp/testfile)&id=1'"}, {'type': 'paragraph', 'content': 'If the file /tmp/testfile is created on the device, it confirms the command injection vulnerability.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying the official patch released by Prolink by June 13, 2021, which fixes the command injection vulnerability.
If patching is not immediately possible, restrict access to the live_api.cgi endpoint to trusted networks only to prevent exploitation.
Additionally, monitor network traffic for suspicious requests targeting the satellite_list page with unusual ip parameter values.