JFrog Security Research

XRAY-194070 - Realtek RTL8195A RCE

CVE-2020-25853 | CVSS 7.5

JFrog Severity:high

Published 3 Feb. 2021 | Last updated 3 Feb. 2021

A stack buffer over-read in the Realtek RTL8195A Wi-Fi Module allows unauthenticated attackers in wireless range to cause denial of service by impersonating a Wi-Fi access point

Realtek Ameba SDK

Ameba SDK (, 2.0.8), fixed in 2.0.8

Realtek Wi-Fi chips enable connectivity for embedded devices and are widely used in IoT development boards and production devices. This vulnerability affects the RTL8195A module. Attackers can exploit the module by impersonating an Access Point (AP) and injecting a packet into the WPA2 handshake to cause a stack buffer over-read, crashing the device and causing denial of service. No public exploit is currently known for this vulnerability, but the JFrog blog provides sufficient technical details for a skilled attacker to replicate the exploit. Since this is a Wi-Fi attack, the attacker must be close enough for the target device to connect to the attacker's AP. The function CheckMic in the module's firmware does not validate a size parameter received on the network before passing it to one of two internal functions, _rt_md5_hmac_veneer or _rt_hmac_sha1_veneer, depending on the access point's HMAC algorithm. These functions will then execute a read out of bounds, crashing the module.

No PoC is supplied for this issue

No vulnerability mitigations are supplied for this issue

(JFrog) WiFi Vulnerabilities Discovered by Automated Zero-Day Analysis