In several dozen models of TP-Link routers remote code injection is possible: the developer confirms the vulnerability

Several dozen models of TP-Link routers may be susceptible to remote execution of any command using the "Command Injection" method, with the dependence that earlier it must authenticate on the router as an administrator, i.e. simply log in, obtaining a login and password. It can do it locally (LAN) or remotely (WAN) , if the remote access to router management function is enabled and use its authentication to run e.g. port forwarding or DNS address changes (PoC of the successful attack was published, where it was possible to establish a susceptible router session telnet).

The tests were carried out on the TL-WVR450L model with the firmware version V1.0161125 and on the TL-WVR900G model with the V3.0_170306 software, but the following models may also be vulnerable, as confirmed by the developer:

  • TP-Link ER5110G,
  • TP-Link ER5120G,
  • TP-Link ER5510G,
  • TP-Link ER5520G,
  • TP-Link R4149G,
  • TP-Link R4239G,
  • TP-Link R4299G,
  • TP-Link R473GP-AC,
  • TP-Link R473G,
  • TP-Link R473P-AC,
  • TP-Link R473,
  • TP-Link R478G +,
  • TP-Link R478,
  • TP-Link R478 +,
  • TP-Link R483G,
  • TP-Link R483,
  • TP-Link R488,
  • TP-Link WAR1300L,
  • TP-Link WAR1750L,
  • TP-Link WAR2600L,
  • TP-Link WAR302,
  • TP-Link WAR450L,
  • TP-Link WAR450,
  • TP-Link WAR458L,
  • TP-Link WAR458,
  • TP-Link WAR900L,
  • TP-Link WVR1300G,
  • TP-Link WVR1300L,
  • TP-Link WVR1750L,
  • TP-Link WVR2600L,
  • TP-Link WVR300,
  • TP-Link WVR302,
  • TP-Link WVR4300L,
  • TP-Link WVR450L,
  • TP-Link WVR450,
  • TP-Link WVR458L,
  • TP-Link WVR900G,
  • TP-Link WVR900L

The CVE-2017-15637 ID has already been reserved for compliance reported in September 2017. The developer confirmed in January 2018 that several dozen other models also contain a similar hole in the firmware. Although the security issue has been solved in the latest updates, it's still worth logging in to the admin panel for devices directly connected to the router, that is, disabling login via WAN or Wi-Fi.

Luka is serious. It received 7.2 points as a result of the CVSS (Common Vulnerability Scoring System), although an exploit (it is a matter of time, because a PoC has been released that gives remote access) is not ready yet.



Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.