Remote Command Execution Vulnerability in TP-LINK Products
CVE-2024-21773

8.8HIGH

Key Information:

Vendor: TP-Link
Status: Archer AX3000; Archer AX5400; Deco X50; Deco XE200
Vendor: CVE Published:; 11 January 2024

Summary

Multiple TP-LINK products exhibit a vulnerability that enables unauthenticated network-adjacent attackers to execute arbitrary OS commands. This vulnerability can be exploited when attackers gain access to the product through its LAN port or Wi-Fi interface, potentially compromising targeted devices and bypassing parental control restrictions. The affected models include the Archer AX3000, Archer AX5400, Deco X50 (version 1), and Deco XE200. It is crucial for users to enhance their network security measures and keep firmware updated to mitigate these risks.

Affected Version(s)

Archer AX3000 firmware versions prior to "Archer AX3000(JP)_V1_1.1.2 Build 20231115"

Archer AX5400 firmware versions prior to "Archer AX5400(JP)_V1_1.1.2 Build 20231115"

Deco X50 firmware versions prior to "Deco X50(JP)_V1_1.4.1 Build 20231122"

References

https://www.tp-link.com/jp/support/download/archer-ax3000...

https://www.tp-link.com/jp/support/download/archer-ax5400...

https://www.tp-link.com/jp/support/download/deco-x50/v1/#...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jan 11, 2024
Vulnerability Reserved
Jan 4, 2024