cbcvebase.
CVE-2020-28347
published 2020-11-08

CVE-2020-28347: tdpServer on TP-Link Archer A7 AC1750 devices before 201029 allows remote attackers to execute arbitrary code via the slave_mac parameter. NOTE: this issue…

PriorityP181critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
73.85%
99.4th percentile
tdpServer on TP-Link Archer A7 AC1750 devices before 201029 allows remote attackers to execute arbitrary code via the slave_mac parameter. NOTE: this issue exists because of an incomplete fix for CVE-2020-10882 in which shell quotes are mishandled.

Affected

1 ranges
VendorProductVersion rangeFixed in
tp-linkac1750_firmware< 201029201029

Detection & IOCsextracted from sources · hover to see the quote

path/usr/bin/tdpServer
processtdpServer
otherslave_mac
  • Monitor for command injection attempts targeting the slave_mac parameter in tdpServer traffic on the LAN interface; shell quote mishandling (bypass of CVE-2020-10882 patch) enables arbitrary command execution as root.
  • Exploitation is LAN-side only and requires no authentication; alert on unexpected outbound connections or binary downloads initiated from the router process tdpServer post-exploitation.
  • The updated injection technique (November 2020 bypass) works on older firmware too; treat all TP-Link Archer A7/C7 firmware versions prior to 201029/201030 as vulnerable.
  • ·Exploitation is restricted to the LAN segment; the vulnerability is not remotely exploitable from the WAN side.
  • ·Affected scope is specifically TP-Link Archer A7/C7 (AC1750) hardware version 5, MIPS architecture; firmware versions before 201029 (A7) and 201030 (C7) are vulnerable.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.