**TL;DR: Discovered an unpatched zero-day in TP-Link routers (AX10/AX1500) that allows remote code execution. Reported to TP-Link on May 11th, 2024 – still unpatched. 4,247 vulnerable devices found online.**
# The Discovery
Used automated taint analysis to find a stack-based buffer overflow in TP-Link’s CWMP (TR-069) implementation. The vulnerability exists in function `sub_1e294` that processes SOAP SetParameterValues messages.
**Key Technical Details:**
* Stack buffer: 3072 bytes
* PC register overwrite: 3112 bytes (payload: “A”\*3108 + “BBBB”)
* Result: `pc = 0x42424242` (full control)
* Canary exploit mitigations
# Proof of Concept
“`
// Vulnerable code pattern
char* result_2 = strstr(s, “cwmp:SetParameterValues”);
// Size calculated from user input – BAD PRACTICE
strncpy(stack_buffer, user_data, calculated_size);
// OVERFLOW!
“`
Exploitation requires setting a malicious CWMP server URL in router config, then device connects and gets pwned.
# Impact
**Affected Models:**
* TP-Link Archer AX10 (all hardware versions V1, V1.2, V2, V2.6)
* TP-Link Archer AX1500 (identical binary)
* Potentially: EX141, Archer VR400, TD-W9970
**Firmware Versions:** 1.3.2, 1.3.8, 1.3.9, 1.3.10 (all vulnerable)
**Internet Exposure:** 4,247 unique IPs confirmed vulnerable via Fofa search
# Why This Matters
Router security is often terrible – default passwords, weak configs, other vulns. Getting config access isn’t that hard, and setting up a rogue CWMP server is trivial. Once you change the TR-069 server URL, the router connects to your malicious server and you get root.
# Timeline
* **Discovery:** January 2025 (automated analysis)
* **Vendor Notification:** May 11th, 2024
* **Current Status:** Probably Patched
* **Public Disclosure:** Now
TL;DR: Discovered an unpatched zero-day in TP-Link routers (AX10/AX1500) that allows remote code execution.
The DiscoveryUsed automated taint analysis to find a stack-based buffer overflow in TP-Link’s CWMP (TR-069) implementation.
Exploitation requires setting a malicious CWMP server URL in router config, then device connects and gets pwned.
Getting config access isn’t that hard, and setting up a rogue CWMP server is trivial.
Once you change the TR-069 server URL, the router connects to your malicious server and you get root.
TL;DR: Discovered an unpatched zero-day in TP-Link routers (AX10/AX1500) that allows remote code execution. Reported to TP-Link on May 11th, 2024 – still unpatched. 4,247 vulnerable devices found online.
The Discovery
Used automated taint analysis to find a stack-based buffer overflow in TP-Link’s CWMP (TR-069) implementation. The vulnerability exists in function sub_1e294 that processes SOAP SetParameterValues messages.
Key Technical Details:
-
Stack buffer: 3072 bytes
-
PC register overwrite: 3112 bytes (payload: “A”*3108 + “BBBB”)
-
Result:
pc = 0x42424242(full control) -
Canary exploit mitigations
Proof of Concept
// Vulnerable code pattern char* result_2 = strstr(s, "cwmp:SetParameterValues"); // Size calculated from user input - BAD PRACTICE strncpy(stack_buffer, user_data, calculated_size); // OVERFLOW!
Exploitation requires setting a malicious CWMP server URL in router config, then device connects and gets pwned.
Impact
Affected Models:
-
TP-Link Archer AX10 (all hardware versions V1, V1.2, V2, V2.6)
-
TP-Link Archer AX1500 (identical binary)
-
Potentially: EX141, Archer VR400, TD-W9970
Firmware Versions: 1.3.2, 1.3.8, 1.3.9, 1.3.10 (all vulnerable)
Internet Exposure: 4,247 unique IPs confirmed vulnerable via Fofa search
Why This Matters
Router security is often terrible – default passwords, weak configs, other vulns. Getting config access isn’t that hard, and setting up a rogue CWMP server is trivial. Once you change the TR-069 server URL, the router connects to your malicious server and you get root.
Timeline
-
Discovery: January 2025 (automated analysis)
-
Vendor Notification: May 11th, 2024
-
Current Status: Probably Patched
-
Public Disclosure: Now
