A critical zero-day vulnerability has been detected in the CWMP implementation of TP-Link routers, posing a significant security risk to thousands of users globally. Discovered in January 2025 through automated taint analysis, the flaw was reported to TP-Link on May 11, but remains unpatched, leaving users vulnerable.
CWMP, or TR-069, is a protocol that enables providers to manage routers remotely. Its complexity and privilege levels make it an appealing target for attackers. Researchers have identified a stack-based buffer overflow in the function that processes SetParameterValues SOAP messages, affecting popular models like the Archer AX10 and AX1500.
The issue arises from external message input being used to calculate buffer length, which is then passed to a strncpy operation without boundary checks, despite the stack buffer being only 3072 bytes. With a 4096-byte payload, the exploit crashes the service and allows for the program counter to be overwritten, potentially leading to a full system compromise with root access.
Testing with a proof-of-concept demonstrated that a specially crafted payload could fully control the program counter, confirming the remote code execution scenario. The vulnerability is not limited to just two models, as TP-Link often reuses identical binaries across devices. The Fofa search engine has identified over 4,200 vulnerable devices accessible online, highlighting the real and immediate threat.
The attack’s ease of execution further exacerbates the danger. Many routers still use default passwords or have weak security settings. Once attackers gain access, they can change the CWMP server address to a malicious ACS server, delivering exploits for complete device takeover. The simplicity of setting up such a server and poor certificate validation increase the likelihood of active exploitation.
Despite the vulnerability being reported in May, it remains unresolved, urging users to take immediate precautions. Until patches are available, users are advised to set strong passwords, disable TR-069 if possible, and monitor network activity closely to mitigate risks.
