TP-Link Archer Zero-Day Vulnerability Let Attackers Inject Malicious Commands

A critical zero-day vulnerability has been discovered in TP-Link Archer, Deco, and Tapo series routers, potentially allowing attackers to inject malicious commands and fully compromise affected devices.

This vulnerability, present in both old and recent firmware versions up to November 4th, 2024, highlights significant security concerns for users of these popular router models.

The vulnerability was initially identified in an old firmware version of the AXE75 router from 2023, but further investigation revealed its presence in the most recent firmware release.

Security researchers employed various techniques to analyze and exploit this vulnerability:-

  1. Firmware Acquisition: TP-Link’s firmware is publicly available and unencrypted, facilitating easier analysis compared to other vendors.
  2. Reverse Engineering: Using tools like binwalk, researchers extracted the firmware’s contents, revealing the router’s file system structure and key components.
  3. Emulation: The web gateway of the router was emulated using “qemu-arm-static,” allowing for targeted vulnerability assessment without physical hardware.
  4. Vulnerability Identification: By searching for specific system execution functions in the Lua scripts, researchers pinpointed potential security weaknesses.

The critical flaw was discovered in the avira.lua file, ironically part of the Avira antivirus software intended to protect the device.

ThottySploity researchers identified that the vulnerability lies in the “tmp_get_sites” function, where the ownerId variable is passed to the os.execute function without proper sanitization or validation.

Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar

Exploitation

Researchers developed an exploit that targets the vulnerability through the “/admin/smart_network” endpoint.

By manipulating the ownerId parameter, attackers can inject malicious commands and execute them with root privileges on the affected routers. This allows for actions such as dumping sensitive files like “/etc/ passwd” and “/etc/ shadow.”

The vulnerability was responsibly disclosed to TP-Link following its discovery on October 3, 2024. Key events in the disclosure timeline include:

  • October 10, 2024: TP-Link was contacted and began analyzing the vulnerability.
  • November 8, 2024: TP-Link acknowledged the vulnerability and provided a fixed beta firmware version.
  • November 23, 2024: MITRE reserved CVE-ID 2024-53375 for this vulnerability.

To mitigate this vulnerability, TP-Link should implement proper input sanitization for the ownerId variable, such as using the tonumber function in Lua to prevent text injection.

This discovery underscores the importance of continuous security auditing and responsible disclosure in the realm of network device firmware.

Users of affected TP-Link routers are advised to update their firmware as soon as patches become available to protect against potential exploitation of this vulnerability.

Analyse Advanced Malware & Phishing Analysis With ANY.RUN Black Friday Deals : Get up to 3 Free Licenses.

Tushar Subhra Dutta
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.