TP-Link has confirmed the existence of an unpatched zero-day vulnerability impacting multiple router models, as CISA warns that other router flaws have been exploited in attacks. The zero-day vulnerability was discovered by independent threat researcher Mehrun (ByteRay), who noted that he first reported it to TP-Link on May 11, 2024. The Chinese networking equipment giant confirmed to BleepingComputer that it is currently investigating the exploitability and exposure of the flaw. Though a patch is reportedly already developed for European models, work is underway to develop fixes for U.S. and global firmware versions, with no specific date estimates given. TP-Link is aware of the recently disclosed vulnerability affecting certain router models, as reported by ByteRay, reads the statement TP-Link Systems Inc. sent to BleepingComputer. We take these findings seriously and have already developed a patch for impacted European models. Work is currently underway to adapt and expedite updates for U.S. and other global versions. Our technical team is also reviewing the reported findings in detail to confirm device exposure criteria and deployment conditions, including whether CWMP is enabled by default. We strongly encourage all users to keep their devices updated with the latest firmware as it becomes available via our official support channels. The vulnerability, which doesn’t have a CVE-ID assigned to it yet, is a stack-based buffer overflow in TP-Link’s CWMP (CPE WAN Management Protocol) implementation on an unknown number of routers. Researcher Mehrun, who found the flaw through automated taint analysis of router binaries, explains that it lies in a function that handles SOAP SetParameterValues messages. The problem is caused by a lack of bounds checking in ‘strncpy’ calls, making it possible to achieve remote code execution via buffer overflow when the stack buffer size is above 3072 bytes. Mehrun says a realistic attack would be to redirect vulnerable devices to a malicious CWMP server and then deliver the oversized SOAP payload to trigger the buffer overflow.
Contact us : 0915579536
Or on the website digitalonion.ly
Visit us at our company address: Tripoli – Andalus Street – Next to the Iraqi Embassy.
Leave a Reply