Improper Authentication Information Disclosure Vulnerability Affects TP-Link Routers
CVE-2023-44447

6.5MEDIUM

Key Information:

Vendor: Tp-link
Status: Tl-wr902ac
Vendor: CVE Published:; 3 May 2024

Summary

The TP-Link TL-WR902AC router is susceptible to an information disclosure vulnerability due to improper authentication in its httpd service. This vulnerability permits network-adjacent attackers to extract sensitive data without requiring authentication, potentially disclosing stored credentials. The flaw arises from the default service configuration listening on TCP port 80. Exploitation of this vulnerability can lead to further unauthorized access and compromise of system integrity.

Affected Version(s)

TL-WR902AC TL-WR902AC(EU)_V1_170628

References

https://www.zerodayinitiative.com/advisories/ZDI-23-1623/

x_research-advisory

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
May 3, 2024
Vulnerability Reserved
Sep 28, 2023