TP-Link has confirmed the existence of a new zero-day vulnerability affecting several of its router models. The flaw was first identified by an independent security researcher operating under the alias Mehrun (ByteRay), who reported it on May 11, 2024. Yet, months later, a fix has still not been released for all impacted devices. The company has acknowledged the issue and stated that updates are in development. At present, patches are available only for the European firmware versions, while adaptations for the U.S. and other regions remain underway with no definitive release timeline.
The vulnerability has not yet been assigned a CVE identifier. It stems from a buffer overflow in the implementation of the CWMP (CPE WAN Management Protocol), which is used for remote router administration. The flaw lies in the handling of SOAP messages via the SetParameterValues function: calls to strncpy are executed without boundary checks, and when input exceeds 3072 bytes, it enables the execution of arbitrary code. According to Mehrun, an actual attack could be mounted by spoofing a CWMP server and sending a specially crafted SOAP request. Such exploitation is feasible not only on outdated firmware but also in cases where device owners have failed to change the factory-default credentials.
If successfully exploited, the vulnerability grants attackers the ability to redirect DNS queries to rogue servers, silently eavesdrop on or tamper with unencrypted traffic, and inject malicious data into user sessions. Confirmed vulnerable models include the Archer AX10 and Archer AX1500, both still widely sold and popular. Other potentially affected devices may include the EX141, Archer VR400, TD-W9970, and additional TP-Link models.
TP-Link has stated that its engineers are currently assessing the severity of the risk and verifying whether CWMP is enabled by default. In the meantime, users are strongly advised to:
- Change default administrator passwords,
- Disable CWMP if not in active use,
- Upgrade to the latest available firmware, and
- Isolate the router from critical segments of the network until official patches are released.
