CVE-2021-35402
Published: 20 February 2026
Description
PROLiNK PRC2402M 20190909 before 2021-06-13 allows live_api.cgi?page=satellite_list OS command injection via shell metacharacters in the ip parameter (for satellite_status).
Mitigating Controls (NIST 800-53 r5)AI
SI-10 directly prevents OS command injection by validating the ip parameter in live_api.cgi against shell metacharacters.
SI-2 requires timely flaw remediation through firmware patching to eliminate the command injection vulnerability.
AC-3 enforces access controls to block unauthenticated remote access to the vulnerable satellite_status endpoint.
Security SummaryAI
CVE-2021-35402 is an OS command injection vulnerability (CWE-78) in the PROLiNK PRC2402M router firmware version 20190909 before 2021-06-13. The issue affects the live_api.cgi script when the page parameter is set to satellite_list, allowing injection of shell metacharacters via the ip parameter during satellite_status operations.
The vulnerability carries a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), enabling remote unauthenticated attackers with network access to execute arbitrary OS commands with low complexity and no user interaction. Exploitation can result in full device compromise, granting high-impact control over confidentiality, integrity, and availability.
Mitigation guidance is available in the Star Labs advisory at https://starlabs.sg/advisories/21/21-35402/. The CVE was published on 2026-02-20T19:23:14.200.
Details
- CWE(s)
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2021-35402 is an unauthenticated OS command injection in a public-facing router web interface (live_api.cgi), directly enabling T1190 (Exploit Public-Facing Application) and facilitating arbitrary Unix shell command execution (T1059.004).