Ddos 
Security researcher Rocco Calvi detailed a critical flaw in the TP-Link AX1800 WiFi 6 Router (Archer AX21/AX20) that allows attackers on the local network to achieve remote code execution (RCE) as the root user.
The vulnerability, tracked as CVE-2023-28760 and rated CVSS 7.5 (High), resides in the MiniDLNA service used by the router’s media-sharing feature. As described in the CVE Records, “TP-Link AX1800 WiFi 6 Router (Archer AX21) devices allow unauthenticated attackers (on the LAN) to execute arbitrary code as root via the db_dir field to minidlnad. The attacker obtains the ability to modify files.db, and that can be used to reach a stack-based buffer overflow in minidlna-1.1.2/upnpsoap.c.”
The flaw affects devices where users have connected a USB storage device to enable local file sharing (commonly accessed via \\192.168.0.1), a configuration used by many households for streaming and network storage.
The discovery centers around a weakness in the .TPDLNA/files.db database created when Media Sharing is enabled on the router. According to Calvi, “By default, Samba for Windows and Local FTP are enabled, and Media Sharing is enabled on the device, which means that the MiniDLNA, ProFTPd, and Samba services will start automatically for the USB share.”
This design allows attackers connected to the same LAN to tamper with the database through SMB or FTP. The vulnerability arises from improper bounds checking in MiniDLNA’s code — specifically in the callback function that processes SQL query results.
“During our static code analysis of the file minidlna-1.1.2/upnpsoap.c, we identified a vulnerability that resulted from improper bounds checking… the vendor assumed that the vulnerability was not reachable by an attacker and therefore did not patch it.”
This oversight proved costly. The database file (files.db) can be directly modified by any user with network access to the shared USB drive because the MiniDLNA configuration file /tmp/minidlna.conf exposes the database path:
By injecting crafted data into files.db, attackers can trigger a stack-based buffer overflow, leading to remote code execution on the router.
The heart of the exploit lies in how the DLNA processing function copies certain metadata fields to a fixed-size stack buffer. In particular, if a crafted dlna_pn (DLNA profile name) field exceeds the buffer size, it overwrites stack memory.
As Calvi explains, “If the dlna_pn variable contains more characters than the buffer can hold, it will cause a stack-based buffer overflow, allowing an attacker to overwrite the stack and potentially execute arbitrary code on the router.”
The attacker can then chain this overflow into return-oriented programming (ROP) to bypass security mitigations such as ASLR (Address Space Layout Randomization) and NX (No-eXecute).
“To overcome the exploit mitigations of ASLR and the NX bit, as well as the null byte restriction imposed by sprintf, we found a one gadget that allowed us to redirect execution to a single instruction despite the null byte limitation.”
The analysis highlights the use of a “one gadget” technique that redirects execution flow to the system() function within the router’s firmware, effectively granting command-line access to the attacker as root:
Once successful, the attacker gains full control over the router, enabling command execution, data exfiltration, or lateral movement within the home network.
The research team developed a full proof-of-concept exploit to demonstrate the vulnerability during the Pwn2Own competition, where real-world exploits are safely demonstrated under responsible disclosure. The researchers achieved a remote interactive shell on the router, confirming successful exploitation.
TP-Link was notified under coordinated disclosure, and the issue was resolved in firmware version Archer AX20(EU)_V3_1.1.4 Build 20230219. Users of affected routers are strongly advised to upgrade immediately. The latest firmware and instructions are available here.
Related Posts:
- CISA Flags Two Actively Exploited Vulnerabilities: TP-Link Router Reset Flaw and WhatsApp Zero-Day Chain
- Security Expert Announces PoC to Crashes All Recent Windows
- Critical Flaws in ELECOM Routers: JPCERT/CC Issues Warning Over Command Injection and XSS Risks
- RCE Flaw CVE-2025-10547 in DrayTek Vigor Routers Allows Unauthenticated Root Access
Donate