A critical security vulnerability has been uncovered in the TP-Link Archer C5400X gaming router, potentially enabling remote code execution on affected devices through specially crafted requests. This severe flaw, designated as CVE-2024-5035, has been assigned the maximum Common Vulnerability Scoring System (CVSS) score of 10.0, indicating its high impact. The vulnerability affects all firmware versions up to and including 1_1.1.6. However, TP-Link has addressed this issue in firmware version 1_1.1.7, which was released on May 24, 2024.
According to a report by German cybersecurity firm ONEKEY, this vulnerability allows unauthenticated remote attackers to execute arbitrary commands on the device with elevated privileges. The report highlights the exploitation of a binary related to radio frequency testing, known as “rftest,” which, upon startup, opens network listeners on TCP ports 8888, 8889, and 8890. This configuration presents a unmediated entry point for potential attackers.
The network service associated with the vulnerable binary is intended to accept commands beginning with specific prefixes, such as “wl” or “nvram get.” However, ONEKEY’s analysis revealed that this seemingly robust restriction could be effortlessly circumvented. Attackers can inject additional commands after shell meta-characters like semicolons or pipes, allowing them to bypass the intended limitations and execute their desired commands on the affected devices.
TP-Link’s fix in version 1_1.1.7 effectively mitigates this vulnerability by nullifying any commands that contain special characters that could facilitate injection attacks. ONEKEY’s assessment suggests that TP-Link’s need for a quick or economically feasible wireless device configuration API led to an insecure network shell being exposed to clients within the router.
This disclosure comes on the heels of previously identified security weaknesses in other networking devices. TP-Link’s identification of vulnerabilities within Delta Electronics’ DVW W02W2 industrial Ethernet routers (CVE-2024-3871) and Ligowave equipment (CVE-2024-4999) illustrates a broader trend of remote command execution vulnerabilities emerging in networking devices that can grant elevated privileges to attackers.
The entities affected by this vulnerability include both home and professional users of the TP-Link Archer C5400X router. Given the router’s widespread use, individuals and organizations that utilize this device should promptly update to the patched firmware version to mitigate potential exploits. Failure to address such vulnerabilities not only exposes individual users to risk but could also compromise the broader network infrastructure.
In the context of potential adversary tactics, this vulnerability aligns with techniques found in the MITRE ATT&CK framework. It encompasses initial access and privilege escalation methods, providing insights into how cyber adversaries could exploit similar weaknesses to gain unauthorized control over network devices. As attackers continue to seek out such vulnerabilities, it remains imperative for brands and users alike to maintain diligent practices in updating and securing their network devices.
As the cybersecurity landscape evolves, the responsibility falls on business owners and IT professionals to remain proactive about security updates and device management. Awareness and understanding of these ongoing threats are critical to safeguarding networks against potential breaches in an increasingly interconnected world.
