Critical RCE Flaw In TP-Link Archer C5400X Router

Critical RCE Vulnerability In TP-Link Archer C5400X Gaming Router

Published on June 1st, 2024

Owners of TP-Link Archer C5400X routers beware! A critical security vulnerability (CVE-2024-5035) has been discovered that exposes your network to potential takeover by remote attackers. This flaw allows malicious actors to execute code on your router, granting them complete control over your network devices and data.

Thankfully, TP-Link has released a patch to address this issue, but immediate action is required to mitigate the risk.

German cybersecurity firm ONEKEY, in a report published recently, revealed a critical vulnerability. This flaw allows remote attackers to take complete control (arbitrary command execution with elevated privileges) of vulnerable devices without any authentication required.

Unpatched Vulnerability Exposes Users (CVE-2024-5035)

The flaw, designated CVE-2024-5035, boasts a CVSS score of 10.0, signifying its severity.

It affects all firmware versions before 1_1.1.7, leaving a significant user base susceptible to attacks.

Thankfully, TP-Link addressed the issue in firmware version 1_1.1.7, released on May 24, 2024.

Vulnerability Details: “rftest” Service As Attack Vector

The vulnerability resides within a binary named “rftest” launched during router startup.

This binary manages wireless interface self-assessment and regrettably exposes a network service susceptible to unauthenticated command injection.

Malicious actors can exploit this service to inject commands and execute them on the router with elevated privileges, potentially compromising the entire network.

Bypassing Restrictions To Achieve Remote Code Execution

The “rftest” service was designed to accept commands solely starting with “wl” or “nvram get”.

However, security researchers discovered a way to bypass this limitation by injecting commands after specific shell meta-characters like “;”, “,”, “&”, “|”, or ” (e.g., “wl;id;”).

Patch Available: Update Immediately

TP-Link remedied the vulnerability in firmware version 1_1.1.7 Build 20240510.

This update strengthens security by discarding any commands containing the exploitable characters.

It’s crucial for users to update their Archer C5400X routers to the latest firmware as soon as possible to mitigate this critical risk.

Legacy Devices Remain Vulnerable

The report highlights additional security flaws discovered in Delta Electronics DVW W02W2 industrial Ethernet routers (CVE-2024-3871) and Ligowave networking equipment (CVE-2024-4999).

These vulnerabilities grant remote attackers similar RCE capabilities.

Unfortunately, these flaws remain unpatched as the affected devices are no longer actively supported.

Users of these devices should take steps to limit internet access to their administration interfaces to minimize the attack surface.

Frequently Asked Questions (FAQ)

Q: How can I check my TP-Link Archer C5400X router’s firmware version?

A: Access your router’s web interface and navigate to the settings or status section. The firmware version should be displayed there.

Q: How do I update the firmware on my TP-Link Archer C5400X router?

A: Download the latest firmware from TP-Link’s website and follow the provided instructions for your specific router model.

Q: What if I’m unable to update the firmware on my router?

A: If updating your router firmware is not possible, consider segmenting your network to isolate vulnerable devices and minimize potential damage. Additionally, consult TP-Link support for alternative solutions.