New TP-Link zero-day vulnerability discovered as CISA alerts on the exploitation of other flaws for improved SEO.

ByAdmin

TP-Link has confirmed the existence of an unpatched zero-day vulnerability affecting multiple router models, as the Cybersecurity and Infrastructure Security Agency (CISA) warns that other router flaws have been exploited in attacks. This zero-day vulnerability was discovered by independent threat researcher Mehrun (ByteRay), who first reported it to TP-Link on May 11, 2024. The Chinese networking equipment giant has acknowledged the issue and is currently investigating the exploitability and exposure of the flaw. While a patch has reportedly been developed for European models, work is ongoing to create fixes for U.S. and global firmware versions, although no specific timelines have been provided. TP-Link stated, “We take these findings seriously and have already developed a patch for impacted European models. Work is currently underway to adapt and expedite updates for U.S. and other global versions.”

The vulnerability, which has not yet been assigned a CVE-ID, is a stack-based buffer overflow in TP-Link’s CWMP (CPE WAN Management Protocol) implementation. Researcher Mehrun identified the flaw through automated taint analysis of router binaries, noting that it resides in a function that handles SOAP SetParameterValues messages. The issue arises from a lack of bounds checking in ‘strncpy’ calls, allowing for remote code execution via buffer overflow when the stack buffer size exceeds 3072 bytes. A realistic attack could involve redirecting vulnerable devices to a malicious CWMP server and delivering an oversized SOAP payload to trigger the buffer overflow. This can be achieved by exploiting outdated firmware or using unchanged default credentials. Once compromised, the router could reroute DNS queries to malicious servers, intercept unencrypted traffic, and inject harmful payloads into web sessions. Testing confirmed that TP-Link Archer AX10 and Archer AX1500 are among the vulnerable models, with other models like EX141, Archer VR400, and TD-W9970 also potentially affected. Until TP-Link identifies all vulnerable devices and releases fixes, users are advised to change default admin passwords, disable CWMP if unnecessary, and apply the latest firmware updates. 

Categories: Cybersecurity, Vulnerabilities, Router Management 

Tags: Zero-Day Vulnerability, TP-Link, Router Models, Buffer Overflow, CWMP, Remote Code Execution, Firmware Update, Security Flaw, Exploitability, Malicious Payloads 

Leave a Reply

Your email address will not be published. Required fields are marked *