Skip to main content
Mallory
Back to vulnerabilities
CriticalCISA KEVExploited in the wildPublic exploit

Realtek SDK miniigd UPnP SOAP Command Injection

IdentifiersCVE-2014-8361CWE-78

CVE-2014-8361 is a remote command injection vulnerability in the miniigd SOAP service shipped with devices that use the Realtek SDK. The flaw is exposed through the UPnP Internet Gateway Device (IGD) SOAP interface and can be triggered by sending a crafted SOAP request, specifically abusing the AddPortMapping action and injecting shell metacharacters into the NewInternalClient parameter. The vulnerable miniigd daemon improperly incorporates attacker-controlled input into OS command execution, allowing arbitrary shell commands to run on the target device. The issue has been widely weaponized by IoT botnets including Okiru, Mozi, and later Mirai-derived campaigns, and exploitation in the wild was still being reported through 2023.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows unauthenticated remote attackers to execute arbitrary OS commands on vulnerable devices over the network. In practice, this has been used to download and launch malware payloads, enroll devices into botnets, establish persistent footholds, and use compromised routers or IoT devices for DDoS, scanning, propagation, and further payload delivery. Because affected devices are commonly edge network equipment, compromise can also provide a strategic foothold inside residential or small-office network perimeters.

Mitigation

If you can’t patch tonight, do this now.

Disable UPnP/IGD services, especially WAN-exposed miniigd SOAP endpoints, wherever operationally feasible. Restrict access to the service to trusted internal networks only and block external access to the affected management/service ports at firewalls. Segment vulnerable IoT and edge devices from critical assets, monitor for suspicious SOAP requests and outbound malware retrieval activity, and hunt for indicators of botnet enrollment on exposed devices. If patching is unavailable, removing internet exposure or replacing the device is the most reliable mitigation.

Remediation

Patch, then assume compromise.

Apply vendor firmware updates that remediate CVE-2014-8361 on affected Realtek SDK-based devices. Where the OEM no longer provides supported firmware, replace end-of-life devices. Because the flaw resides in products derived from the Realtek SDK, remediation may require model-specific updates from the device manufacturer rather than Realtek directly. After patching or replacement, verify that the miniigd/UPnP SOAP service is no longer vulnerable and review devices for signs of prior compromise.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
AtermW1200ex Firmwareoperating_system
AtermW1200ex-Ms Firmwareoperating_system
AtermW300p Firmwareoperating_system
AtermW500p Firmwareoperating_system
AtermWf300hp2 Firmwareoperating_system
AtermWf800hp Firmwareoperating_system
AtermWg1200hp Firmwareoperating_system
AtermWg1200hp2 Firmwareoperating_system
AtermWg1200hp3 Firmwareoperating_system
AtermWg1200hs Firmwareoperating_system
AtermWg1200hs2 Firmwareoperating_system
AtermWg1800hp3 Firmwareoperating_system
AtermWg1800hp4 Firmwareoperating_system
AtermWg1900hp Firmwareoperating_system
AtermWg1900hp2 Firmwareoperating_system
AtermWr8165n Firmwareoperating_system
D-LinkDir-501 Firmwareoperating_system
D-LinkDir-515 Firmwareoperating_system
D-LinkDir-600l Firmwareoperating_system
D-LinkDir-605l Firmwareoperating_system
D-LinkDir-615 Firmwareoperating_system
D-LinkDir-619l Firmwareoperating_system
D-LinkDir-809 Firmwareoperating_system
D-LinkDir-900l Firmwareoperating_system
D-LinkDir-905l Firmwareoperating_system
RealtekRealtek Sdkapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app
cyfirma otherNews
Apr 22, 2026
CHINA CYBERSECURITY THREAT INTELLIGENCE REPORT - CYFIRMA

A high-severity vulnerability in Realtek SDK-based IoT and network equipment that continues to appear in exploitation-focused detections, with exploit code available.

Read more
the hacker newsNews
Jun 9, 2025
Two Distinct Botnets Exploit Wazuh Server Vulnerability to Launch Mirai-Based Attacks

A vulnerability in Realtek SDK exploited by Mirai botnet variants.

Read more
the hacker newsNews
Jan 8, 2025
Mirai Botnet Variant Exploits Four-Faith Router Vulnerability for DDoS Attacks

A security vulnerability exploited by Mirai botnet variants to compromise devices and expand botnet reach.

Read more
netlab 360News
Dec 23, 2019
Mozi, Another Botnet Using DHT

A known exploit targeting devices using the Realtek SDK, listed as one of the vulnerabilities leveraged by the Mozi botnet for propagation.

Read more
+2 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence3

Every observed campaign linking this CVE to a named adversary.

Associated malware8

Malware families riding this exploit, with evidence and IOCs.

Detection signatures2

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2014-8361
NVD
nvd.nist.gov/vuln/detail/CVE-2014-8361
MITRE CWE · CWE-78
cwe.mitre.org
Vendor Advisory
securityadvisories.dlink.com/security/publication.aspx?name=SAP10055
Third Party Advisory
jvn.jp/en/jp/JVN47580234/index.html
Third Party Advisory
jvn.jp/en/jp/JVN67456944/index.html
Third Party Advisory
packetstormsecurity.com/files/132090/Realtek-SDK-Miniigd-UPnP-SOAP-Command-Execution.html
Third Party Advisory
zerodayinitiative.com/advisories/ZDI-15-155
Third Party Advisory
sensorstechforum.com/hinatabot-cve-2014-8361-ddos
Third Party Advisory
web.archive.org/web/20150909230440/http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10055
Third Party Advisory
exploit-db.com/exploits/37169
US Government Resource
cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2014-8361