A maximum-severity security flaw has been disclosed in the TP-Link Archer C5400X gaming router, posing a significant risk of remote code execution on vulnerable devices. This vulnerability, identified as CVE-2024-5035, has been assigned a CVSS score of 10.0. It affects all versions of the router firmware up to and including version 1_1.1.6. TP-Link addressed the issue in version 1_1.1.7, which was released on May 24, 2024.
The flaw allows remote unauthenticated attackers to execute arbitrary commands on the affected device with elevated privileges. The issue is linked to a binary used for radio frequency testing, “rftest,” which starts at boot and listens on TCP ports 8888, 8889, and 8890. Although the service is supposed to only accept specific commands, researchers from German cybersecurity firm ONEKEY found that it can be easily bypassed by injecting commands after shell meta-characters like “;”, “&”, or “|”.
TP-Link’s patch for the flaw involves discarding any commands that contain these special characters, thereby mitigating the risk of exploitation. ONEKEY’s analysis suggests that the vulnerability may have arisen from a hasty or cost-effective implementation of the wireless device configuration API, resulting in an exposed shell over the network intended for configuring wireless devices.
This disclosure follows other recent security revelations concerning networking equipment, such as flaws in Delta Electronics DVW W02W2 industrial Ethernet routers and Ligowave devices. Unlike the TP-Link issue, these vulnerabilities remain unpatched due to the devices no longer being actively maintained. Users of such equipment are advised to take measures to limit exposure to administration interfaces to prevent potential exploitation.
