Your TP-Link Router is Leaking All Traffic to Hackers. No Fix for 8 Months
A zero-day vulnerability allows stealing passwords and taking control of users' home networks.
A zero-day vulnerability allows stealing passwords and taking control of users' home networks.
TP-Link has confirmed a new zero-day vulnerability affecting several of its router models. The issue was discovered by an independent researcher using the nickname Mehrun (ByteRay). He reported it on May 11, 2024, but a fix has still not been released for all devices. The company acknowledged the existence of the bug and stated they are working on updates. Currently, the fix is only available for European firmware versions, while adaptation for the US and other regions is still ongoing with no precise release date.
The vulnerability has not yet received a CVE identifier. It is a buffer overflow in the implementation of the CWMP (CPE WAN Management Protocol), which is used for remote router administration. The error lies in the SetParameterValues SOAP message processing function: strncpy calls are performed without bounds checking, which, with an input buffer size exceeding 3072 bytes, leads to the possibility of arbitrary code execution. Mehrun explained that a real attack could be implemented by spoofing a CWMP server and sending a specially crafted SOAP request. This can be achieved either by exploiting old firmware or by using default credentials that owners did not change after purchase.
Upon successful exploitation, an attacker gains the ability to redirect DNS queries to fake servers, secretly eavesdrop on or modify unencrypted traffic, and inject malicious data into user sessions. The researcher confirmed the vulnerability affects the Archer AX10 and Archer AX1500 models, which are still on sale and widely popular. Additionally, devices like the EX141, Archer VR400, TD-W9970, and a number of other manufacturer's devices may be at risk.
TP-Link clarified that the company's specialists are currently analyzing the risk level and checking if CWMP is enabled by default. Until fixes are released, users are recommended to change the default admin passwords, disable CWMP if it's not used, update the firmware to the latest version, and, if possible, isolate the router from critical network segments.
