cbcvebase.
CVE-2020-12109
published 2020-05-04

CVE-2020-12109: Certain TP-Link devices allow Command Injection. This affects NC200 2.1.9 build 200225, NC210 1.0.9 build 200304, NC220 1.3.0 build 200304, NC230 1.3.0 build…

PriorityP278high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
74.34%
99.4th percentile
Certain TP-Link devices allow Command Injection. This affects NC200 2.1.9 build 200225, NC210 1.0.9 build 200304, NC220 1.3.0 build 200304, NC230 1.3.0 build 200304, NC250 1.3.0 build 200304, NC260 1.5.2 build 200304, and NC450 1.5.3 build 200304.

Affected

23 ranges
VendorProductVersion rangeFixed in
tp-linknc200_firmware
tp-linknc200_firmware
tp-linknc210_firmware
tp-linknc210_firmware
tp-linknc210_firmware
tp-linknc220_firmware
tp-linknc220_firmware
tp-linknc230_firmware
tp-linknc230_firmware
tp-linknc230_firmware
tp-linknc250_firmware
tp-linknc250_firmware
tp-linknc250_firmware
tp-linknc250_firmware
tp-linknc260_firmware
tp-linknc260_firmware
tp-linknc260_firmware
tp-linknc260_firmware
tp-linknc260_firmware
tp-linknc450_firmware
tp-linknc450_firmware
tp-linknc450_firmware
tp-linknc450_firmware

Detection & IOCsextracted from sources · hover to see the quote

url/setsysname.cgi
  • Monitor HTTP requests to /setsysname.cgi containing shell metacharacters in the system name (alias) field, which may indicate attempted command injection against TP-Link NCXXX cameras.
  • Alert on authenticated POST requests to /setsysname.cgi on TP-Link NC200/NC220/NC230/NC250/NC260/NC450 devices where the name parameter contains shell metacharacters (e.g., ;, |, `, $(), &&).
  • For NC210 devices, look for suspicious writes to the device configuration file combined with exploitation of CVE-2020-12110, as code execution is achieved by chaining config file write with swBonjourStartHTTP reading the alias name.
  • Injected commands execute as root; monitor for unexpected root-level process spawning from the Bonjour/mDNS service (swBonjourStartHTTP) on affected TP-Link camera devices.
  • ·Exploitation requires authentication; unauthenticated attackers cannot directly trigger the injection via /setsysname.cgi.
  • ·NC210 devices require a chained attack with CVE-2020-12110 (config file write) since /setsysname.cgi performs proper input validation on NC210; the vulnerable code path is swBonjourStartHTTP reading the alias from the config file.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.