cbcvebase.
CVE-2022-25064
published 2022-02-25

CVE-2022-25064: TP-LINK TL-WR840N(ES)_V6.20_180709 was discovered to contain a remote code execution (RCE) vulnerability via the function oal_wan6_setIpAddr.

PriorityP182critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
39.78%
98.4th percentile
TP-LINK TL-WR840N(ES)_V6.20_180709 was discovered to contain a remote code execution (RCE) vulnerability via the function oal_wan6_setIpAddr.

Affected

1 ranges
VendorProductVersion rangeFixed in
tp-linktl-wr840n_firmware

Detection & IOCsextracted from sources · hover to see the quote

url/cgi?2&2
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT TP-LINK TL-WR840N RCE Inbound (CVE-2022-25064)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi?2&2"; fast_pattern; http.request_body; content:"|0d 0a|X_TP_FirewallEnabled"; content:"|0d 0a|X_TP_ExternalIPv6Address="; distance:0; pcre:"/^(?:\x3b|\x0a|\x26|\x60|\x7C|\x24)/R"; reference:cve,2022-25064; classtype:attempted-admin; sid:2035455; rev:1; metadata:created_at 2022_03_15, cve CVE_2022_25064, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_03_15;)
bytes
|0d 0a|X_TP_FirewallEnabled
bytes
|0d 0a|X_TP_ExternalIPv6Address=
  • Exploit arrives as an inbound HTTP POST request to the /cgi?2&2 endpoint on the target device.
  • The POST body contains the parameter X_TP_ExternalIPv6Address= with a value beginning with a shell injection character: semicolon (0x3b), newline (0x0a), ampersand (0x26), backtick (0x60), pipe (0x7c), or dollar sign (0x24).
  • The vulnerable function is oal_wan6_setIpAddr; RCE is triggered via the IPv6 address field in the WAN6 configuration CGI handler.
  • Both X_TP_FirewallEnabled and X_TP_ExternalIPv6Address= must appear in the POST body (in that order) for the exploit to be valid; use both as co-occurring body signatures.
  • ·The Snort/Suricata rule targets inbound traffic to $HOME_NET/$HTTP_SERVERS; ensure the TP-LINK device's management IP is included in these variables for the rule to fire.
  • ·The rule was created and last updated on 2022-03-15 (rev:1); verify whether updated revisions exist before deploying.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.