CVE-2020-28347
published 2020-11-08CVE-2020-28347: tdpServer on TP-Link Archer A7 AC1750 devices before 201029 allows remote attackers to execute arbitrary code via the slave_mac parameter. NOTE: this issue…
PriorityP181critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
73.85%
99.4th percentile
tdpServer on TP-Link Archer A7 AC1750 devices before 201029 allows remote attackers to execute arbitrary code via the slave_mac parameter. NOTE: this issue exists because of an incomplete fix for CVE-2020-10882 in which shell quotes are mishandled.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| tp-link | ac1750_firmware | < 201029 | 201029 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for command injection attempts targeting the slave_mac parameter in tdpServer traffic on the LAN interface; shell quote mishandling (bypass of CVE-2020-10882 patch) enables arbitrary command execution as root. ↗
- →Exploitation is LAN-side only and requires no authentication; alert on unexpected outbound connections or binary downloads initiated from the router process tdpServer post-exploitation. ↗
- →The updated injection technique (November 2020 bypass) works on older firmware too; treat all TP-Link Archer A7/C7 firmware versions prior to 201029/201030 as vulnerable. ↗
- ·Exploitation is restricted to the LAN segment; the vulnerability is not remotely exploitable from the WAN side. ↗
- ·Affected scope is specifically TP-Link Archer A7/C7 (AC1750) hardware version 5, MIPS architecture; firmware versions before 201029 (A7) and 201030 (C7) are vulnerable. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
https://github.com/pedrib/PoC/blob/master/advisories/Pwn2Own/Tokyo_2019/lao_bomb/lao_bomb.mdhttps://github.com/pedrib/PoC/blob/master/advisories/Pwn2Own/Tokyo_2020/minesweeper.mdhttps://github.com/rapid7/metasploit-framework/pull/14365https://github.com/rdomanski/Exploits_and_Advisories/blob/master/advisories/Pwn2Own/Tokyo2019/lao_bomb.mdhttps://github.com/rdomanski/Exploits_and_Advisories/blob/master/advisories/Pwn2Own/Tokyo2020/minesweeper.mdhttps://github.com/pedrib/PoC/blob/master/advisories/Pwn2Own/Tokyo_2019/lao_bomb/lao_bomb.mdhttps://github.com/pedrib/PoC/blob/master/advisories/Pwn2Own/Tokyo_2020/minesweeper.mdhttps://github.com/rapid7/metasploit-framework/pull/14365https://github.com/rdomanski/Exploits_and_Advisories/blob/master/advisories/Pwn2Own/Tokyo2019/lao_bomb.mdhttps://github.com/rdomanski/Exploits_and_Advisories/blob/master/advisories/Pwn2Own/Tokyo2020/minesweeper.md
2020-11-08
Published