A maximum severity security vulnerability has been disclosed in the TP-Link Archer C5400X gaming router, potentially allowing remote code execution on affected devices through specially crafted requests.
Tracked as CVE-2024-5035 with a CVSS score of 10.0, the vulnerability affects all firmware versions prior to 1_1.1.6. This issue was fixed in version 1_1.1.7 released on May 24, 2024.
According to a report by German cybersecurity company ONEKEY released on Monday, successful exploitation of this vulnerability allows remote, unauthenticated attackers to execute arbitrary commands on devices with elevated privileges. The issue lies in a binary file related to RF testing, “rftest,” which runs at startup and exposes network listeners on TCP ports 8888, 8889, and 8890, enabling remote code execution.
Although the network service is designed to accept only commands starting with “wl” or “nvram get,” ONEKEY found that this restriction can be bypassed by injecting shell metacharacters such as ; , & or | into the command (e.g., “wl;id;”).
TP-Link addressed the vulnerability in version 1_1.1.7 Build 20240510 by discarding commands containing these special characters.
ONEKEY stated, “It appears that TP-Link, needing to quickly or cost-effectively respond to wireless device configuration API requests, ultimately exposed a so-called limited shell on the network, which internal clients can use to configure wireless devices.”
The company also disclosed security vulnerabilities in Delta Electronics DVW W02W2 industrial Ethernet routers (CVE-2024-3871) and Ligwave network devices (CVE-2024-4999), which could allow remote attackers to achieve elevated privilege remote command execution.
Notably, since these devices are no longer actively maintained, these vulnerabilities remain unpatched. Users must take appropriate measures to limit the exposure of the management interface to reduce the likelihood of attacks.
