cbcvebase.
CVE-2015-3035
published 2015-04-22

CVE-2015-3035: Directory traversal vulnerability in TP-LINK Archer C5 (1.2) with firmware before 150317, C7 (2.0) with firmware before 150304, and C8 (1.0) with firmware…

PriorityP186high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-04-15
Exploited in the wild
EPSS
83.77%
99.7th percentile
Directory traversal vulnerability in TP-LINK Archer C5 (1.2) with firmware before 150317, C7 (2.0) with firmware before 150304, and C8 (1.0) with firmware before 150316, Archer C9 (1.0), TL-WDR3500 (1.0), TL-WDR3600 (1.0), and TL-WDR4300 (1.0) with firmware before 150302, TL-WR740N (5.0) and TL-WR741ND (5.0) with firmware before 150312, and TL-WR841N (9.0), TL-WR841N (10.0), TL-WR841ND (9.0), and TL-WR841ND (10.0) with firmware before 150310 allows remote attackers to read arbitrary files via a .. (dot dot) in the PATH_INFO to login/.

Affected

11 ranges
VendorProductVersion rangeFixed in
tp-linkarcher_c5_firmware< 150317150317
tp-linkarcher_c7_firmware< 150304150304
tp-linkarcher_c8_firmware< 150316150316
tp-linkarcher_c9_firmware< 150302150302
tp-linktl-wdr3500_firmware< 150302150302
tp-linktl-wdr3600_firmware< 150302150302
tp-linktl-wdr4300_firmware< 150302150302
tp-linktl-wr740n_firmware< 150312150312
tp-linktl-wr741nd_firmware< 150312150312
tp-linktl-wr841n_firmware< 150310150310
tp-linktl-wr841nd_firmware< 150310150310

Detection & IOCsextracted from sources · hover to see the quote

url/login/../../../etc/passwd
path/login/
  • Look for HTTP GET requests containing directory traversal sequences (.. dot dot) in the PATH_INFO component of the /login/ endpoint on TP-Link devices.
  • Match HTTP 200 responses containing Unix passwd file content (root:[x*]:0:0) to confirm successful exploitation of the traversal.
  • Use Shodan/FOFA/Google dorks to identify exposed TP-Link devices as potential targets: http.title:"TP-LINK", title="tp-link", intitle:"tp-link".
  • The vulnerability is unauthenticated (Au:N) and network-accessible (AV:N), so no credentials are required to exploit it — any inbound GET to /login/../../.. paths should be flagged.
  • ·Vulnerability affects multiple TP-Link device families across different firmware versions; patched firmware thresholds vary per model (e.g., Archer C5 before 150317, C7 before 150304, C8 before 150316, C9/TL-WDR series before 150302, TL-WR740N/741ND before 150312, TL-WR841N/ND before 150310).
  • ·This is a CISA KEV entry with a past-due remediation date (2022-04-15), indicating active exploitation in the wild; prioritize detection and patching accordingly.
  • ·The EPSS score is extremely high (0.92856, 99.767th percentile), confirming this CVE has a very high probability of exploitation in the wild.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.07.8HIGHAV:N/AC:L/Au:N/C:C/I:N/A:N
vulncheck7.5HIGH
cisa7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.