A critical zero-day vulnerability has been discovered in TP-Link routers, exposing them to potential full system takeover through remote code execution (RCE). This flaw, identified in the Customer Premises Equipment WAN Management Protocol (CWMP), allows attackers to exploit a stack overflow in the function sub_1e294, leading to the possibility of executing code with root privileges. The vulnerability affects several TP-Link models, including the Archer AX10 and AX1500, and remains unpatched despite being reported in May 2024.
Security researchers found that the vulnerability arises from improper bounds checking in the processing of user-controlled SOAP messages, allowing attackers to send malicious messages that exceed buffer limits. This oversight can lead to a dangerous condition where the program counter register is overwritten, confirming the potential for RCE attacks.
The affected devices and firmware versions include various combinations of the Archer AX10 and AX1500 models, with additional models possibly at risk. An internet-wide scan revealed over 4,000 vulnerable IP addresses, highlighting the significant exposure of these devices to potential attacks.
Exploiting this vulnerability requires modifying CWMP server configurations, which can often be achieved through default credentials or weak passwords. Once access is gained, attackers can deploy rogue servers to trigger the stack overflow, posing substantial risks to residential and small business networks worldwide. The persistence of default security settings further exacerbates the threat posed by this zero-day vulnerability.
