TP-Link Archer C5400X Router Exposed to Remote Code Execution

A serious vulnerability has been identified in the TP-Link Archer C5400X gaming router, leading to remote code execution on vulnerable devices through specially crafted requests.

The vulnerability, designated CVE-2024-5035, has received the highest possible score on the CVSS scale—10.0. It affects all firmware versions up to version 1_1.1.6.

“By successfully exploiting this flaw, remote unauthenticated attacker can gain arbitrary command execution on the device with elevated privileges,” reported the German cybersecurity company ONEKEY in its report yesterday.

The issue lies in the binary file for radio frequency testing, “rftest,” which runs at device startup and opens a network listener on TCP ports 8888, 8889, and 8890, permitting remote unauthenticated attackers to execute code.

Although the network service is designed to accept commands starting with “wl” or “nvram get,” ONEKEY discovered that this restriction can be easily bypassed by injecting a command after shell characters such as “;”, “&”, or “|” (for example, “wl;id;”).

In version 1_1.1.7 Build 20240510, released on May 24, 2024, TP-Link addressed the vulnerability by discarding any commands containing these special characters.

“It appears that the need to provide an API for configuring wireless devices in TP-Link was either executed too hastily or too cheaply, resulting in the exposure of a limited network shell that could be used by clients in the router to configure wireless devices,” noted ONEKEY experts.

This incident underscores the necessity of comprehensive risk analysis and thorough testing of network components and APIs during the development of devices that handle remote requests. Security must be an integral part of the design process, not an afterthought added as an additional layer later.