Command Injection Vulnerability in TP-Link Archer AX21 (AX1800) Firmware
CVE-2023-1389
Key Information:
- Vendor
- Tp-link
- Vendor
- CVE Published:
- 15 March 2023
Badges
What is CVE-2023-1389?
CVE-2023-1389 is a significant vulnerability affecting the TP-Link Archer AX21 (AX1800) router firmware. This device is utilized by individuals and organizations for home and small business networking. The vulnerability allows unauthenticated attackers to exploit a command injection flaw in the web management interface, specifically in how it handles country settings. If exploited, this could lead to command execution with root privileges, compromising the integrity and security of the network and devices connected to it.
Technical Details
The vulnerability resides in the country parameter of the /cgi-bin/luci;stok=/locale endpoint in the router's firmware version prior to 1.1.4 Build 20230219. Because the input for the country parameter is not adequately sanitized, an attacker can craft malicious POST requests that inject commands into the system. These commands are executed with root-level access, which gives attackers considerable control over the device and potentially the entire network it manages.
Potential impact of CVE-2023-1389
-
Unauthorized Access: Attackers can gain unauthorized access to the router, allowing them to execute commands and potentially alter the router's configurations, which could lead to further attacks or data breaches.
-
Network Compromise: Exploitation of this vulnerability may enable attackers to intercept data traveling through the network, jeopardizing sensitive information and communications.
-
Malware Deployment: With root access, attackers can install malware or create backdoors to maintain persistence, allowing for ongoing control and exploitation of the affected systems.
CISA Reported
CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace as recent news articles suggest the vulnerability is being used by ransomware groups.
The CISA's recommendation is: Apply updates per vendor instructions.
Affected Version(s)
TP-Link Archer AX21 (AX1800) All versions prior to version 1.14 Build 20230219
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
Get notified when SecurityVulnerability.io launches alerting π
Well keep you posted π§
News Articles
BankInfoSecurityCVE-2023-1389Exploited TP-Link Vulnerability Spawns Botnet Threats
Half a dozen different botnets are prowling the internet for TP-Link-brand Wi-Fi routers unpatched since last summer with the goal of commandeering them into
4 weeks ago
New botnet exploits vulnerabilities in NVRs, TP-Link routers
A new Mirai-based malware campaign is actively exploiting unpatched vulnerabilities in Internet of Things (IoT) devices, including DigiEver DS-2105 Pro DVRs.
1 month ago
Palo Alto NetworksIoT Under Siege: The Anatomy of the Latest Mirai Campaign Leveraging Multiple IoT Exploits
Mirai is a still-active botnet with new variants. We highlight observed exploitation of IoT vulnerabilities β due to low complexity and high impact.
7 months ago
References
EPSS Score
10% chance of being exploited in the next 30 days.
CVSS V3.1
Timeline
- π°
Used in Ransomware
- π‘
Public PoC available
- π¦
CISA Reported
- πΎ
Exploit known to exist
- π°
First article discovered by BleepingComputer
Vulnerability published
Vulnerability Reserved