Millions of Routers at Risk: CVE-2024-21833 Threatens TP-Link Devices

Recently, CYFIRMA’s Research Team has conducted an exhaustive analysis of a security vulnerability, identified as CVE-2024-21833, that poses a significant risk to TP-Link Routers. Discovered on January 10, 2024, by JPCERT/CC, this vulnerability has been assigned a CVSS score of 8.8, signifying its severity.

TP-Link, a trusted name in networking products, offers a wide range of solutions catering to both home and business users. Their routers, switches, Wi-Fi range extenders, and other devices have gained popularity for their reliability and affordability. The vulnerability affects models like the Archer AX3000, AX5400, AXE75, Deco X50, and XE200. It allows unauthenticated attackers nearby network access, enabling them to execute arbitrary OS commands. This flaw is not just a backdoor; it’s an open invitation to malicious actors, potentially allowing them to disrupt services, steal sensitive information, or enlist devices into botnets.

Several TP-Link router models are affected by CVE-2024-21833. The earliest impacted versions include Archer AX3000(JP)_V1_1.1.2 Build 20231115 and Deco XE200(JP)_V1_1.2.5 Build 20231120 or earlier. Users are strongly advised to update their firmware to recommended versions, such as “Archer AX3000(JP)_V1_1.1.2 Build 20231115” or newer, to address these security concerns.

The critical OS command injection flaw in TP-Link routers is particularly severe in Archer AX3000 firmware versions before 1.1.2. Attackers manipulate the HTTP request method parameter during a write operation in the web management interface’s HTTP Request endpoint. By crafting malicious HTTP requests, attackers can gain root user privileges, potentially taking complete control of the router’s operating system.

Image: Cyfirma

“The potential scale of the issue is significant, with a staggering 37,213 instances of TP-Link Archer devices, encompassing 20,114 unique IP addresses, publicly accessible and potentially vulnerable to this flaw,” the researcher stated.

Unfortunately, the TP-Link vulnerability is not an isolated incident. Recent years have witnessed a growing trend in threat actors targeting vulnerabilities in network infrastructure. Prominent examples include Cisco IOS XE (CVE-2023-20198), FatPipe WARP IPVPN (CVE-2021-27860), and D-LINK DIR-806 wireless router (CVE-2023-43128). The TP-Link case is further complicated by the involvement of Russian threat actor groups (APT 28) like FROZENLAKE and Sofacy, as well as Chinese-backed hacking groups such as Volt Typhoon. These vulnerabilities not only pose direct risks but also create supply chain attack opportunities, affecting various sectors, including finance, education, government, healthcare, insurance, and legal entities.

The unidentified hackers selling exploits related to CVE-2024-21833 on underground forums. This raises serious concerns as threat actors may develop bespoke tools to exploit router vulnerabilities.

As of now, there is no publicly available proof-of-concept (PoC) exploit tool for CVE-2024-21833. However, discussions and potential sharing of PoCs have taken place in Telegram channels. Evidence from underground forums indicates active exploitation of this vulnerability.

Mitigation measures are crucial. Users must promptly update their Archer AX3000 firmware to version 1.1.2 (or later). Network administrators should consider implementing network segmentation and firewall rules to restrict access to vulnerable devices.