A new zero-day vulnerability has been discovered affecting several TP-Link router models. The issue, identified as a buffer overflow in the CPE WAN Management Protocol (CWMP) implementation, could allow an attacker to execute arbitrary code and redirect DNS requests to rogue servers.
The vulnerability was reported by an independent researcher known by the handle Mehrun (ByteRay) on May 11, 2024. TP-Link has confirmed the existence of the flaw and is working on updates to address the issue. Currently, the fix is only available for European firmware versions; the rollout for the US and other regions is ongoing.
The vulnerability resides in the SOAP SetParameterValues message processing function, where strncpy calls are executed without checking for bounds. This could lead to the possibility of arbitrary code execution if the input buffer size exceeds 3072 bytes. A real-world attack can be implemented by replacing the CWMP server and transmitting a specially crafted SOAP request.
If successfully exploited, the vulnerability can redirect DNS requests to rogue servers, silently intercept or modify unencrypted traffic, and inject malicious data into user sessions. Vulnerable router models include the Archer AX10 and Archer AX1500, which are still on sale and very popular.
TP-Link recommends users change factory administrator passwords, disable CWMP if not in use, update the firmware to the latest version, and, if possible, isolate the router from network segments. critics.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
