News

Unpatched Vulnerability Found in TP-Link Routers

HackMag1410

TP-Link has confirmed the existence of an unpatched 0-day vulnerability affecting several router models. The company said it is already investigating the issue and preparing patches.

A zero-day vulnerability was discovered by an independent researcher known as ByteRay. The researcher notes that they first reported it to TP-Link on May 11, 2024.

The issue, which has not yet been assigned a CVE identifier, is a stack buffer overflow in TP-Link’s implementation of CWMP (CPE WAN Management Protocol) and affects an unknown number of router models.

The researcher discovered the vulnerability using automated analysis of the router’s binary files and explains that the issue lies in the function that processes SOAP SetParameterValues messages. The bug is caused by the lack of bounds checking in calls to strncpy, which enables remote code execution via a buffer overflow if the stack buffer size exceeds 3072 bytes.

According to ByteRay, in attacks this can be used to redirect vulnerable devices to a malicious CWMP server, and then deliver an excessively large SOAP payload to cause a buffer overflow.

After a compromise, an attacker can instruct the router to redirect DNS queries to malicious servers, silently intercept or manipulate unencrypted traffic, and inject malicious data into web sessions.

During testing, the researcher confirmed that the TP-Link Archer AX10 and Archer AX1500 use vulnerable CWMP binaries. He also notes that the vulnerability may be present in the EX141, Archer VR400, TD-W9970, and likely several other TP-Link devices.

TP-Link representatives told Bleeping Computer that they are currently investigating whether this vulnerability is being exploited. They report that a patch for European router models has already been created, and work is underway on firmware fixes for the U.S. and other countries. No specific patch release dates were provided.

“Our technical team is closely examining the researcher’s findings to confirm the impact criteria for devices and the conditions of exploitation, including whether CWMP is enabled by default,” the company says.

it? Share:
15.04.2025 —
Hackers exploit authentication bypass bug in OttoKit WordPress plugin
25.02.2025 —
More than 100,000 users downloaded SpyLend malware from Google Play Store
04.04.2025 —
Privilege escalation vulnerability in Google Cloud resulting in sensitive data leaks finally patched
20.03.2025 —
8,000 vulnerabilities identified in WordPress ecosystem in 2024
14.02.2025 —
12,000 Kerio Control firewalls remain vulnerable to RCE
10.03.2025 —
Nearly a million Windows computers impacted by a malvertising campaign
26.03.2025 —
Cloudflare to block all unencrypted traffic to its APIs
06.02.2025 —
Let's Encrypt to stop sending expiration notification emails
03.02.2025 —
PyPI introduces a project archival system to combat malicious updates
27.01.2025 —
YouTube plays hour-long ads to users with ad blockers
13.02.2023 —
First Contact: Attacks on Google Pay, Samsung Pay, and Apple Pay
15.02.2022 —
EVE-NG: Building a cyberpolygon for hacking experiments
26.03.2023 —
Poisonous spuds. Privilege escalation in AD with RemotePotato0
03.03.2023 —
Infiltration and exfiltration. Data transmission techniques used in pentesting
26.03.2023 —
Attacks on the DHCP protocol: DHCP starvation, DHCP spoofing, and protection against these techniques
12.02.2023 —
Gateway Bleeding. Pentesting FHRP systems and hijacking network traffic
15.02.2022 —
Reverse shell of 237 bytes. How to reduce the executable file using Linux hacks
03.06.2022 —
Challenge the Keemaker! How to bypass antiviruses and inject shellcode into KeePass memory
01.01.2022 —
It's a trap! How to create honeypots for stupid bots
01.06.2022 —
Log4HELL! Everything you must know about Log4Shell