ZERO-DAY ALERT: Automated Discovery of Critical CWMP Stack Overflow in TP-Link Routers

TL;DR: Discovered an unpatched zero-day in TP-Link routers (AX10/AX1500) that allows remote code execution. Reported to TP-Link on May 11th, 2024 – still unpatched. 4,247 vulnerable devices found online. The Discovery Used automated taint analysis to find a stack-based buffer overflow in TP-Link’s CWMP (TR-069) implementation. The vulnerability exists in function sub_1e294 that processes SOAP SetParameterValues messages. Key Technical Details: Stack buffer: 3072 bytes PC register overwrite: 3112 bytes (payload: “A”*3108 + “BBBB”) Result: pc = 0x42424242 (full control) Canary exploit mitigations Proof of Concept // Vulnerable code pattern char* result_2 = strstr(s, “cwmp:SetParameterValues”); // Size calculated from user input – BAD PRACTICE strncpy(stack_buffer, user_data, calculated_size); // OVERFLOW! Exploitation requires setting a malicious CWMP server URL in router config, then device connects and gets pwned. Impact Affected Models: TP-Link Archer AX10 (all hardware versions V1, V1.2, V2, V2.6) TP-Link Archer AX1500 (identical binary) Potentially: EX141, Archer VR400, TD-W9970 Firmware Versions: 1.3.2, 1.3.8, 1.3.9, 1.3.10 (all vulnerable) Internet Exposure: 4,247 unique IPs confirmed vulnerable via Fofa search Why This Matters Router security is often terrible – default passwords, weak configs, other vulns. Getting config access isn’t that hard, and setting up a rogue CWMP server is trivial. Once you change the TR-069 server URL, the router connects to your malicious server and you get root. Timeline Discovery: January 2025 (automated analysis) Vendor Notification: May 11th, 2024 Current Status: Probably Patched Public Disclosure: Now submitted by /u/Mehrrun [link] [comments]Technical Information Security Content & DiscussionRead More