CVE-2022-25064
published 2022-02-25CVE-2022-25064: TP-LINK TL-WR840N(ES)_V6.20_180709 was discovered to contain a remote code execution (RCE) vulnerability via the function oal_wan6_setIpAddr.
PriorityP182critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
39.78%
98.4th percentile
TP-LINK TL-WR840N(ES)_V6.20_180709 was discovered to contain a remote code execution (RCE) vulnerability via the function oal_wan6_setIpAddr.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| tp-link | tl-wr840n_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/cgi?2&2
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT TP-LINK TL-WR840N RCE Inbound (CVE-2022-25064)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi?2&2"; fast_pattern; http.request_body; content:"|0d 0a|X_TP_FirewallEnabled"; content:"|0d 0a|X_TP_ExternalIPv6Address="; distance:0; pcre:"/^(?:\x3b|\x0a|\x26|\x60|\x7C|\x24)/R"; reference:cve,2022-25064; classtype:attempted-admin; sid:2035455; rev:1; metadata:created_at 2022_03_15, cve CVE_2022_25064, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_03_15;)
bytes
|0d 0a|X_TP_FirewallEnabled
bytes
|0d 0a|X_TP_ExternalIPv6Address=
- →Exploit arrives as an inbound HTTP POST request to the /cgi?2&2 endpoint on the target device.
- →The POST body contains the parameter X_TP_ExternalIPv6Address= with a value beginning with a shell injection character: semicolon (0x3b), newline (0x0a), ampersand (0x26), backtick (0x60), pipe (0x7c), or dollar sign (0x24).
- →The vulnerable function is oal_wan6_setIpAddr; RCE is triggered via the IPv6 address field in the WAN6 configuration CGI handler. ↗
- →Both X_TP_FirewallEnabled and X_TP_ExternalIPv6Address= must appear in the POST body (in that order) for the exploit to be valid; use both as co-occurring body signatures.
- ·The Snort/Suricata rule targets inbound traffic to $HOME_NET/$HTTP_SERVERS; ensure the TP-LINK device's management IP is included in these variables for the rule to fire.
- ·The rule was created and last updated on 2022-03-15 (rev:1); verify whether updated revisions exist before deploying.
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-66jq-wfrj-9h9w: TP-LINK TL-WR840N(ES)_V6
ghsa_unreviewed·2022-02-26
CVE-2022-25064 [CRITICAL] CWE-77 GHSA-66jq-wfrj-9h9w: TP-LINK TL-WR840N(ES)_V6
TP-LINK TL-WR840N(ES)_V6.20_180709 was discovered to contain a remote code execution (RCE) vulnerability via the function oal_wan6_setIpAddr.
VulnCheck
TP-Link tl-wr840n_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
vulncheck·2022·CVSS 9.8
CVE-2022-25064 [CRITICAL] TP-Link tl-wr840n_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
TP-Link tl-wr840n_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
TP-LINK TL-WR840N(ES)_V6.20_180709 was discovered to contain a remote code execution (RCE) vulnerability via the function oal_wan6_setIpAddr.
Affected: TP-Link tl-wr840n_firmware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.cisa.gov/sites/default/files/2024-07/aa24-207a-dprk-cyber-group-conducts-global-espionage-campaign.pdf
Suricata
ET EXPLOIT TP-LINK TL-WR840N RCE Inbound (CVE-2022-25064)
suricata·2022-03-15·CVSS 9.8
CVE-2022-25064 [CRITICAL] ET EXPLOIT TP-LINK TL-WR840N RCE Inbound (CVE-2022-25064)
ET EXPLOIT TP-LINK TL-WR840N RCE Inbound (CVE-2022-25064)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT TP-LINK TL-WR840N RCE Inbound (CVE-2022-25064)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi?2&2"; fast_pattern; http.request_body; content:"|0d 0a|X_TP_FirewallEnabled"; content:"|0d 0a|X_TP_ExternalIPv6Address="; distance:0; pcre:"/^(?:\x3b|\x0a|\x26|\x60|\x7C|\x24)/R"; reference:cve,2022-25064; classtype:attempted-admin; sid:2035455; rev:1; metadata:created_at 2022_03_15, cve CVE_2022_25064, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_03_15;)
No public exploits indexed.
No writeups or analysis indexed.
http://router.comhttp://tp-link.comhttps://east-trowel-102.notion.site/CVE-2021-XXXX-rce-via-crafted-payload-in-an-ipv6-address-input-field-hidden-EN-98e24b6f841043fba17ec4627c34f5d1http://router.comhttp://tp-link.comhttps://east-trowel-102.notion.site/CVE-2021-XXXX-rce-via-crafted-payload-in-an-ipv6-address-input-field-hidden-EN-98e24b6f841043fba17ec4627c34f5d1
2022-02-25
Published
Exploited in the wild