### #RouterExploitation #RemoteCodeExecution #FirmwareVulnerability
Summary: A critical vulnerability (CVE-2024-53375) in the TP-Link Archer AXE75 router allows remote attackers to execute arbitrary commands due to improper input validation. Security researcher Thanatos has confirmed that this flaw affects the router’s HomeShield functionality and can be exploited on specific firmware versions.
Threat Actor: Unknown | Unknown
Victim: TP-Link Archer AXE75 router | TP-Link Archer AXE75 router
Key Point :
- The vulnerability allows remote code execution due to a lack of input validation in the /admin/smart_network?form=tmp_avira endpoint.
- Exploitation requires manipulation of five parameters: ownerId, date, type, startIndex, and amount.
- A proof-of-concept exploit demonstrating the vulnerability has been published on GitHub.
- TP-Link has acknowledged the issue and provided a beta firmware fix, but a stable update is still pending.
- Users are advised to secure their devices by applying updates and enforcing strong passwords.
A newly discovered vulnerability in the TP-Link Archer AXE75 router, tracked as CVE-2024-53375, could allow remote attackers to execute arbitrary commands on vulnerable devices. This critical flaw, identified by security researcher Thanatos, affects the HomeShield functionality of the router and has been confirmed to be exploitable on firmware version 1.2.2 Build 20240827.
The vulnerability stems from a lack of proper input validation in the /admin/smart_network?form=tmp_avira endpoint. An attacker can craft a malicious HTTP POST request to this endpoint, triggering the execution of arbitrary commands on the router.
“This code harbors a Remote Code Execution (RCE) vulnerability because it parses the OwnerId directly to the os.execute function, without any sanitization nor checks,” Thanatos explains in their technical analysis.
To exploit this vulnerability, an attacker needs to manipulate five parameters in the request: ownerId, date, type, startIndex, and amount. A proof-of-concept (POC) exploit code demonstrating the CVE-2024-53375 vulnerability has been published on GitHub.
Furthermore, the researcher successfully executed the id command, confirming that the exploit runs with root privileges, granting the attacker complete control over the device.
TP-Link has acknowledged the vulnerability and has reportedly provided a fixed beta firmware version. However, a stable, publicly available firmware update is yet to be released. However, users are urged to act promptly to secure their devices by applying the update and disabling unnecessary services. Administrators should also enforce strong passwords for all accounts to minimize the risk of compromise.
Thanatos provides a detailed write-up of the vulnerability discovery process and exploitation techniques on their website, which includes insights into how the exploit was identified and tested. For more information, readers can refer to Thanatos’ detailed blog post or access the PoC code on GitHub.