TP-Link Vulnerable to OS Command Injection Through 2024.03.28
CVE-2023-6437

9.8CRITICAL

Key Information:

Vendor: Tp-link
Status: Tp-link Ex20v Ax1800, Tp-link Archer C5v Ac1200, Tp-link Td-w9970, Tp-link Td-w9970v3, Tp-link Vx220-g2u, Tp-link Vn020-g2u
Vendor: CVE Published:; 28 March 2024

Summary

The OS Command Injection vulnerability in various TP-Link networking devices allows attackers to execute arbitrary commands on the affected systems. This issue affects models such as the TP-Link EX20v AX1800, Archer C5v AC1200, TD-W9970, and more, enabling authenticated users to gain unauthorized control over the system. The vulnerability is particularly concerning for devices like the TP-Link VX220-G2u and VN020-G2u, which are no longer produced or supported, leaving them susceptible to exploitation. Organizations using these devices should take immediate action to mitigate risks associated with this vulnerability.

Affected Version(s)

TP-Link EX20v AX1800, Tp-Link Archer C5v AC1200, Tp-Link TD-W9970, Tp-Link TD-W9970v3, TP-Link VX220-G2u, TP-Link VN020-G2u 0 <= 20240328

References

https://www.usom.gov.tr/bildirim/tr-24-0244

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 28, 2024
Vulnerability Reserved
Nov 30, 2023

Credit

Muhammet Gedik