TP-Link Archer C5400X Vulnerability Exposes Gamers Online

The TP-Link Archer C5400X vulnerability was initially reported on February 16, 2024, with the submission of a detailed report to TP-Link's PSIRT.

by Ashish Khaitan May 28th, 2024

Share on LinkedInShare on Twitter

In a recent disclosure by ONEKEY Research Lab, a critical vulnerability in the TP-Link Archer C5400X gaming router was exposed, leading to remote command execution. The TP-Link Archer C5400X is a gaming router, with integrated malware defense, and has compatibility with Alexa voice commands and IFTTT applets. This TP-Link Archer C5400X vulnerability, tracked as CVE-2024-5035, was rooted in command injection, a format string vulnerability, and buffer overflows within components such as rftest and libshared. 

The vulnerability, known to affect versions before 1_1.1.7, posed a grave risk to users, potentially allowing malicious actors to execute arbitrary commands remotely with elevated privileges. While the format string vulnerability requires specific conditions for exploitation, the focus of this revelation centered around the rftest binary, integral to the device’s wireless functionality.

In the patch update by TP-Link, the Archer C5400X vulnerability has been fixed in version 1_1.1.7.

The Timeline of TP-Link Archer C5400X Vulnerability Exposure

According to ONEKEY Research Lab, the TP-Link Archer C5400X vulnerability was initially reported on February 16, 2024, with the submission of a detailed report to TP-Link’s PSIRT. Following the report, TP-Link promptly initiated a case on February 19.

Source: ONEKEY

After collaborative efforts and validation processes, TP-Link shared a beta version of 1.1.7p1 on April 10 for further testing, culminating in the confirmation and release of the patch by ONEKEY on May 27, 2024.

The vulnerability exposed a critical flaw in the TP-Link Archer C5400X gaming router, rendering it susceptible to remote command execution. This exploit granted unauthorized users the ability to execute arbitrary commands on the device, posing security risks to users’ data and network integrity.

“It seems the need to provide a wireless device configuration API at TP-Link had to be answered either fast or cheap, which ended up with them exposing a supposedly limited shell over the network that clients within the router could use as a way to configure wireless devices”, said OneKey in the advisory. 

Understanding the TP-Link Archer C5400X Vulnerability

Source: TP-Link

Central to this TP-Link Archer C5400X vulnerability is the rftest binary, launched during the device’s initialization sequence. This binary, responsible for wireless interface self-assessment, inadvertently exposes a network service vulnerable to unauthenticated command injection. Attackers can leverage this vulnerability to remotely execute commands with elevated privileges, potentially compromising the device and its connected network.

To mitigate the risk posed by this vulnerability, users are strongly advised to upgrade their devices to version 1_1.1.7. TP-Link has implemented fixes to prevent command injection through shell meta-characters, thereby enhancing the security posture of affected devices. However, users must remain vigilant and proactive in ensuring their devices are up to date with the latest firmware releases to safeguard against emerging threats.

Exposing Recent Vulnerabilities in Routers

The TP-Link Archer C5400X router vulnerability is just one of the cases where a flaw was exploited without a third-party breach. Previously, CISA flagged two end-of-life D-Link routers, adding them to their Known Exploited Vulnerabilities catalog. 

The router vulnerabilities, CVE-2014-100005 and CVE-2021-40655, affected three main products, DIR-600, DIR-605, and DIR-605L. Exploitation of these vulnerabilities allowed unauthorized configuration changes and the theft of usernames and passwords. 

The Cyber Security Agency of Singapore also stressed these two vulnerabilities, stating that the mitigation strategy to avoid exploitation is to “retire and replace their devices with products that are supported by the manufacturer.”


Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button