CVE-2015-3035
published 2015-04-22CVE-2015-3035: Directory traversal vulnerability in TP-LINK Archer C5 (1.2) with firmware before 150317, C7 (2.0) with firmware before 150304, and C8 (1.0) with firmware…
PriorityP186high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-04-15
Exploited in the wild
EPSS
83.77%
99.7th percentile
Directory traversal vulnerability in TP-LINK Archer C5 (1.2) with firmware before 150317, C7 (2.0) with firmware before 150304, and C8 (1.0) with firmware before 150316, Archer C9 (1.0), TL-WDR3500 (1.0), TL-WDR3600 (1.0), and TL-WDR4300 (1.0) with firmware before 150302, TL-WR740N (5.0) and TL-WR741ND (5.0) with firmware before 150312, and TL-WR841N (9.0), TL-WR841N (10.0), TL-WR841ND (9.0), and TL-WR841ND (10.0) with firmware before 150310 allows remote attackers to read arbitrary files via a .. (dot dot) in the PATH_INFO to login/.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| tp-link | archer_c5_firmware | < 150317 | 150317 |
| tp-link | archer_c7_firmware | < 150304 | 150304 |
| tp-link | archer_c8_firmware | < 150316 | 150316 |
| tp-link | archer_c9_firmware | < 150302 | 150302 |
| tp-link | tl-wdr3500_firmware | < 150302 | 150302 |
| tp-link | tl-wdr3600_firmware | < 150302 | 150302 |
| tp-link | tl-wdr4300_firmware | < 150302 | 150302 |
| tp-link | tl-wr740n_firmware | < 150312 | 150312 |
| tp-link | tl-wr741nd_firmware | < 150312 | 150312 |
| tp-link | tl-wr841n_firmware | < 150310 | 150310 |
| tp-link | tl-wr841nd_firmware | < 150310 | 150310 |
Detection & IOCsextracted from sources · hover to see the quote
- →Look for HTTP GET requests containing directory traversal sequences (.. dot dot) in the PATH_INFO component of the /login/ endpoint on TP-Link devices. ↗
- →Match HTTP 200 responses containing Unix passwd file content (root:[x*]:0:0) to confirm successful exploitation of the traversal. ↗
- →Use Shodan/FOFA/Google dorks to identify exposed TP-Link devices as potential targets: http.title:"TP-LINK", title="tp-link", intitle:"tp-link". ↗
- →The vulnerability is unauthenticated (Au:N) and network-accessible (AV:N), so no credentials are required to exploit it — any inbound GET to /login/../../.. paths should be flagged. ↗
- ·Vulnerability affects multiple TP-Link device families across different firmware versions; patched firmware thresholds vary per model (e.g., Archer C5 before 150317, C7 before 150304, C8 before 150316, C9/TL-WDR series before 150302, TL-WR740N/741ND before 150312, TL-WR841N/ND before 150310). ↗
- ·This is a CISA KEV entry with a past-due remediation date (2022-04-15), indicating active exploitation in the wild; prioritize detection and patching accordingly. ↗
- ·The EPSS score is extremely high (0.92856, 99.767th percentile), confirming this CVE has a very high probability of exploitation in the wild. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.07.8HIGHAV:N/AC:L/Au:N/C:C/I:N/A:N
vulncheck7.5HIGH
cisa7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-4qv6-46qm-w9fg: Directory traversal vulnerability in TP-LINK Archer C5 (1
ghsa_unreviewed·2022-05-14
CVE-2015-3035 [HIGH] CWE-22 GHSA-4qv6-46qm-w9fg: Directory traversal vulnerability in TP-LINK Archer C5 (1
Directory traversal vulnerability in TP-LINK Archer C5 (1.2) with firmware before 150317, C7 (2.0) with firmware before 150304, and C8 (1.0) with firmware before 150316, Archer C9 (1.0), TL-WDR3500 (1.0), TL-WDR3600 (1.0), and TL-WDR4300 (1.0) with firmware before 150302, TL-WR740N (5.0) and TL-WR741ND (5.0) with firmware before 150312, and TL-WR841N (9.0), TL-WR841N (10.0), TL-WR841ND (9.0), and TL-WR841ND (10.0) with firmware before 150310 allows remote attackers to read arbitrary files via a .. (dot dot) in the PATH_INFO to login/.
VulnCheck
TP-Link Multiple Archer Devices Directory Traversal Vulnerability
vulncheck·2015·CVSS 7.5
CVE-2015-3035 [HIGH] CWE-22 TP-Link Multiple Archer Devices Directory Traversal Vulnerability
TP-Link Multiple Archer Devices Directory Traversal Vulnerability
Directory traversal vulnerability in multiple TP-Link Archer devices allows remote attackers to read arbitrary files via a .. (dot dot) in the PATH_INFO to login/.
Affected: TP-Link Multiple Archer Devices
Required Action: Apply updates per vendor instructions.
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Remediation Due: 2022-04-15
CISA
TP-Link Multiple Archer Devices Directory Traversal Vulnerability
cisa·2022-03-25·CVSS 7.5
CVE-2015-3035 [HIGH] CWE-22 TP-Link Multiple Archer Devices Directory Traversal Vulnerability
Vulnerability: TP-Link Multiple Archer Devices Directory Traversal Vulnerability
Affected: TP-Link Multiple Archer Devices
Directory traversal vulnerability in multiple TP-Link Archer devices allows remote attackers to read arbitrary files via a .. (dot dot) in the PATH_INFO to login/.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2015-3035
Remediation Due Date: 2022-04-15
No detection rules found.
Metasploit
Archer C7 Directory Traversal Vulnerability
metasploit
Archer C7 Directory Traversal Vulnerability
Archer C7 Directory Traversal Vulnerability
This module exploits a directory traversal vulnerability in the PATH_INFO found at /login/ on TP-Link Archer C5, C7, and C9 routers of varying versions.
Nuclei
TP-LINK - Local File Inclusion
nuclei·CVSS 7.5
CVE-2015-3035 [HIGH] TP-LINK - Local File Inclusion
TP-LINK - Local File Inclusion
TP-LINK is susceptible to local file inclusion in these products: Archer C5 (1.2) with firmware before 150317, Archer C7 (2.0) with firmware before 150304, and C8 (1.0) with firmware before 150316, Archer C9 (1.0), TL-WDR3500 (1.0), TL-WDR3600 (1.0), and TL-WDR4300 (1.0) with firmware before 150302, TL-WR740N (5.0) and TL-WR741ND (5.0) with firmware before 150312, and TL-WR841N (9.0), TL-WR841N (10.0), TL-WR841ND (9.0), and TL-WR841ND (10.0) with firmware before 150310. Because of insufficient input validation, arbitrary local files can be disclosed. Files that include passwords and other sensitive information can be accessed.
Template:
id: CVE-2015-3035
info:
name: TP-LINK - Local File Inclusion
author: 0x_Akoko
severity: high
description: |
TP-LINK is s
http://packetstormsecurity.com/files/131378/TP-LINK-Local-File-Disclosure.htmlhttp://seclists.org/fulldisclosure/2015/Apr/26http://www.securityfocus.com/archive/1/535240/100/0/threadedhttp://www.securityfocus.com/bid/74050http://www.tp-link.com/en/download/Archer-C5_V1.20.html#Firmwarehttp://www.tp-link.com/en/download/Archer-C7_V2.html#Firmwarehttp://www.tp-link.com/en/download/Archer-C8_V1.html#Firmwarehttp://www.tp-link.com/en/download/Archer-C9_V1.html#Firmwarehttp://www.tp-link.com/en/download/TL-WDR3500_V1.html#Firmwarehttp://www.tp-link.com/en/download/TL-WDR3600_V1.html#Firmwarehttp://www.tp-link.com/en/download/TL-WDR4300_V1.html#Firmwarehttp://www.tp-link.com/en/download/TL-WR740N_V5.html#Firmwarehttp://www.tp-link.com/en/download/TL-WR741ND_V5.html#Firmwarehttp://www.tp-link.com/en/download/TL-WR841ND_V9.html#Firmwarehttp://www.tp-link.com/en/download/TL-WR841N_V9.html#Firmwarehttps://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20150410-0_TP-Link_Unauthenticated_local_file_disclosure_vulnerability_v10.txthttp://packetstormsecurity.com/files/131378/TP-LINK-Local-File-Disclosure.htmlhttp://seclists.org/fulldisclosure/2015/Apr/26http://www.securityfocus.com/archive/1/535240/100/0/threadedhttp://www.securityfocus.com/bid/74050http://www.tp-link.com/en/download/Archer-C5_V1.20.html#Firmwarehttp://www.tp-link.com/en/download/Archer-C7_V2.html#Firmwarehttp://www.tp-link.com/en/download/Archer-C8_V1.html#Firmwarehttp://www.tp-link.com/en/download/Archer-C9_V1.html#Firmwarehttp://www.tp-link.com/en/download/TL-WDR3500_V1.html#Firmwarehttp://www.tp-link.com/en/download/TL-WDR3600_V1.html#Firmwarehttp://www.tp-link.com/en/download/TL-WDR4300_V1.html#Firmwarehttp://www.tp-link.com/en/download/TL-WR740N_V5.html#Firmwarehttp://www.tp-link.com/en/download/TL-WR741ND_V5.html#Firmwarehttp://www.tp-link.com/en/download/TL-WR841ND_V9.html#Firmwarehttp://www.tp-link.com/en/download/TL-WR841N_V9.html#Firmwarehttps://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20150410-0_TP-Link_Unauthenticated_local_file_disclosure_vulnerability_v10.txthttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2015-3035
2015-04-22
Published
2022-03-25
Added to CISA KEV
Exploited in the wild