cbcvebase.
CVE-2022-30075
published 2022-06-09

CVE-2022-30075: In TP-Link Router AX50 firmware 210730 and older, import of a malicious backup file via web interface can lead to remote code execution due to improper…

PriorityP185high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
36.95%
98.3th percentile
In TP-Link Router AX50 firmware 210730 and older, import of a malicious backup file via web interface can lead to remote code execution due to improper validation.

Affected

1 ranges
VendorProductVersion rangeFixed in
tp-linkarcher_ax50_firmware<= 210730

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://<target>/cgi-bin/luci/;stok=<stok>/login?form=auth
url/admin/firmware?form=config_multipart
url/login?form=auth
url/login?form=keys
command/usr/sbin/telnetd -l /bin/login.sh
path/cgi-bin/luci/;stok=
  • Monitor HTTP POST requests to /cgi-bin/luci/;stok=<token>/admin/firmware?form=config_multipart with operation=restore, which is the upload vector for the malicious backup config file triggering RCE.
  • Detect spawning of telnetd from a web/CGI process context on TP-Link AX50 devices, specifically the command '/usr/sbin/telnetd -l /bin/login.sh', which is the default post-exploitation payload.
  • Alert on HTTP POST to /cgi-bin/luci/ paths containing the literal string ';stok=' in the URL, which is characteristic of this exploit's authenticated session abuse pattern.
  • The exploit injects a command payload into the router's XML config file inside a <script> tag element before re-encrypting and restoring it. Inspect restored backup archives for unexpected <script> blocks in the XML config.
  • The exploit uses AES-CBC with a 16-byte key/IV derived from concatenated time and random floats. The encrypted backup file will have a .bin extension. Anomalous config restore operations (operation=restore) shortly after a backup download (operation=backup) on the same session are a strong behavioral indicator.
  • ·Exploitation requires valid authentication credentials (admin password) to the router web interface before the malicious backup can be uploaded.
  • ·The exploit targets TP-Link Router AX50 firmware version 210730 and older only; newer firmware versions are not confirmed vulnerable.
  • ·The payload is embedded inside the router's own decrypted XML config and re-encrypted before upload, meaning static file scanning of the .bin archive without decryption will not reveal the malicious content.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
vulncheck8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.