close
close

Vulnerability in TP-Link gaming router exposes users to remote code attacks

May 28, 2024Press releaseVulnerabilities/Network Security

A high severity vulnerability has been identified in the TP-Link Archer C5400X gaming router that could lead to remote code execution on vulnerable devices by sending specially crafted requests.

The vulnerability, pursued as CVE-2024-5035has a CVSS score of 10.0. It affects all versions of router firmware including and before 1_1.1.6. It was patched in version 1_1.1.7, released on May 24, 2024.

“Successful exploitation of this vulnerability allows unauthenticated remote attackers with elevated privileges to execute arbitrary commands on the device,” German cybersecurity company ONEKEY said in a report published on Monday.

TP-Link Gaming Router

The issue lies in a binary related to the radio frequency test “rftest” that runs at system startup and exposes a network listener on TCP ports 8888, 8889, and 8890, which allows an unauthenticated remote attacker to execute code.

While the network service is designed to only accept commands that begin with “wl” or “nvram get”, ONEKEY explained that the limitation can be easily bypassed by inserting a command after shell metacharacters such as ;, &, or | (e.g. “wl;id;”).

Internet security

The fix implemented by TP-Link in version 1_1.1.7 Build 20240510 addresses the vulnerability by discarding all commands that contain these special characters.

“It appears that TP-Link needed to either quickly or inexpensively provide an API for configuring wireless devices. The result was that they provided a supposedly limited shell over the network that clients within the router could use to configure wireless devices,” ONEKEY said.

The disclosure comes weeks after the company also disclosed vulnerabilities in Delta Electronics DVW W02W2 industrial Ethernet routers (CVE-2024-3871) and Ligowave networking equipment (CVE-2024-4999) that could allow remote attackers to execute remote commands with elevated privileges.

It is worth noting that these vulnerabilities will not be fixed as they are no longer actively maintained, so it is imperative that users take appropriate steps to limit exposure of the administration interfaces to reduce the potential for exploitation.

Did you find this article interesting? Follow us on Þjórsárden and LinkedIn to read more exclusive content we publish.