TP-Link Archer C5400X router had a critical RCE flaw (CVE-2024-5035). Patch released, users must update to secure against hijacking and data breaches.

Continue reading
The TP-Link Archer C5400X is a high-performance tri-band gaming router known for its advanced features and robust performance. However, recent research has uncovered a critical security flaw, designated CVE-2024-5035, which permits unauthenticated remote command execution (RCE).
This vulnerability presents severe risks, including router hijacking, data interception, DNS manipulation, and internal network breaches.
The CVE-2024-5035 vulnerability was identified by analysts at OneKey through binary static analysis. It has been assigned a CVSS v4 score of 10.0, highlighting its critical nature. The flaw originates from the 'rftest' binary, which exposes a network service prone to command injection and buffer overflow vulnerabilities on TCP ports 8888, 8889, and 8890.
The 'rftest' binary operates a network listener on the identified ports to facilitate wireless interface self-assessment. However, it inadequately sanitizes user inputs, creating an opportunity for attackers to inject shell metacharacters.
Shell metacharacters like semicolons, ampersands, and pipes control functions in command-line shells. When improperly sanitized, these characters enable arbitrary command execution with elevated privileges.
# Example of vulnerable command execution
echo 'malicious_command' > /dev/tcp/target_ip/8888Attackers can craft messages containing shell metacharacters and send them to the open ports, leading to arbitrary command execution. This method allows attackers to exploit the rftest service for malicious activities.
The vulnerability permits command ID injection through port 8888. By embedding shell metacharacters within specially crafted messages, attackers can exploit the rftest service.
# Example of crafted payload
payload=";malicious_command;"
echo $payload > /dev/tcp/target_ip/8888The rftest service is also vulnerable to buffer overflows, where excessive data can overflow the allocated buffer space, causing memory corruption and potential code execution.
// Example of buffer overflow vulnerability
void vulnerable_function(char *input) {
char buffer[64];
strcpy(buffer, input); // No bounds checking
}OneKey reported the vulnerability to TP-Link’s Product Security Incident Response Team (PSIRT) on February 16, 2024. TP-Link responded promptly, releasing a beta patch by April 10, 2024, and a final security update on May 24, 2024.
The final update, Archer C5400X(EU)_V1_1.1.7 Build 20240510, addresses the CVE-2024-5035 vulnerability by filtering out commands containing shell metacharacters. This measure prevents unauthorized command execution.
// Example of command filtering implementation
bool contains_metacharacters(char *input) {
char *metacharacters = ";|&<>`";
return strpbrk(input, metacharacters) != NULL;
}
void secure_function(char *input) {
if (!contains_metacharacters(input)) {
// Safe to process input
} else {
// Reject input
}
}Users are strongly advised to download and install the firmware update from TP-Link’s official download portal or use their router admin panel to perform the update. This step is crucial to mitigate the vulnerability and secure their network.
The CVE-2024-5035 vulnerability in TP-Link Archer C5400X is a significant security threat. The prompt identification and remediation efforts by TP-Link are commendable. It is imperative for users to update their firmware to protect against potential exploits. This Threatfeed emphasizes the importance of rigorous security practices and proactive monitoring in safeguarding network devices.

A publicly accessible registration portal, a misconfigured Entra tenant, and no server-side authorization checks. That was enough to reach the systems controlling live World Cup streams