A maximum-severity security flaw has been disclosed within the TP-Hyperlink Archer C5400X gaming router that would result in distant code execution on prone units by sending specifically crafted requests.
The vulnerability, tracked as CVE-2024-5035, carries a CVSS rating of 10.0. It impacts all variations of the router firmware together with and previous to 1_1.1.6. It has been patched in model 1_1.1.7 launched on Might 24, 2024.
“By efficiently exploiting this flaw, distant unauthenticated attackers can acquire arbitrary command execution on the system with elevated privileges,” German cybersecurity agency ONEKEY mentioned in a report printed Monday.
The problem is rooted in a binary associated to radio frequency testing “rftest” that is launched on startup and exposes a community listener on TCP ports 8888, 8889, and 8890, thus permitting a distant unauthenticated attacker to attain code execution.
Whereas the community service is designed to solely settle for instructions that begin with “wl” or “nvram get,” ONEKEY mentioned the restriction discovered that the restriction could possibly be trivially bypassed by injecting a command after shell meta-characters like ; , & , or, | (e.g., “wl;id;”).
TP-Hyperlink’s applied repair in model 1_1.1.7 Construct 20240510 addresses the vulnerability by discarding any command containing these particular characters.
“It appears the necessity to present a wi-fi system configuration API at TP-Hyperlink needed to be answered both quick or low cost, which ended up with them exposing a supposedly restricted shell over the community that shoppers throughout the router may use as a method to configure wi-fi units,” ONEKEY mentioned.
The disclosure arrives weeks after security flaws have been additionally revealed by the corporate in Delta Electronics DVW W02W2 industrial Ethernet routers (CVE-2024-3871) and Ligowave networking gear (CVE-2024-4999) that would enable distant attackers to achieve distant command execution with elevated privileges.
It is value noting that these flaws stay unpatched on account of them being not actively maintained, making it crucial that customers take enough steps to restrict publicity of administration interfaces to cut back the potential for exploitation.
