Critical Vulnerability in Gaming Router Allows Remote Code Attacks

A critical security flaw has been discovered in the TP-Link Archer C5400X gaming router, potentially allowing remote code execution on vulnerable devices through specially crafted requests.

This flaw, identified as CVE-2024-5035, has a CVSS score of 10.0. It affects all firmware versions up to and including 1_1.1.6 and has been patched in version 1_1.1.7, released on May 24, 2024.

The cybersecurity firm reported that remote attackers could exploit this flaw to execute arbitrary commands with elevated privileges on the affected device.

The vulnerability is linked to the “rftest” binary used for radio frequency testing, which runs at startup and exposes a network listener on TCP ports 8888, 8889, and 8890. This allows unauthenticated remote attackers to execute code.

Although the network service is intended to accept only commands starting with “wl” or “nvram get,” researcher discovered that this restriction can be easily bypassed using shell meta-characters like ; , & , or | (e.g., “wl;id;”).

TP-Link addressed the vulnerability in version 1_1.1.7 Build 20240510 by discarding any command containing these special characters.

The researcher noted, “The need to provide a wireless device configuration API at TP-Link seems to have resulted in exposing a limited shell over the network, allowing clients within the router to configure wireless devices.”

To prevent exploitation of the TP-Link Archer C5400X router vulnerability, update your router firmware to the latest version (1_1.1.7) immediately. Disable any unnecessary network services and regularly monitor for unusual activity on TCP ports 8888, 8889, and 8890. Additionally, restrict remote access to your router and ensure that only trusted devices can connect to your network.