CVE-2022-30075
published 2022-06-09CVE-2022-30075: In TP-Link Router AX50 firmware 210730 and older, import of a malicious backup file via web interface can lead to remote code execution due to improper…
PriorityP185high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
36.95%
98.3th percentile
In TP-Link Router AX50 firmware 210730 and older, import of a malicious backup file via web interface can lead to remote code execution due to improper validation.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| tp-link | archer_ax50_firmware | <= 210730 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP POST requests to /cgi-bin/luci/;stok=<token>/admin/firmware?form=config_multipart with operation=restore, which is the upload vector for the malicious backup config file triggering RCE. ↗
- →Detect spawning of telnetd from a web/CGI process context on TP-Link AX50 devices, specifically the command '/usr/sbin/telnetd -l /bin/login.sh', which is the default post-exploitation payload. ↗
- →Alert on HTTP POST to /cgi-bin/luci/ paths containing the literal string ';stok=' in the URL, which is characteristic of this exploit's authenticated session abuse pattern. ↗
- →The exploit injects a command payload into the router's XML config file inside a <script> tag element before re-encrypting and restoring it. Inspect restored backup archives for unexpected <script> blocks in the XML config. ↗
- →The exploit uses AES-CBC with a 16-byte key/IV derived from concatenated time and random floats. The encrypted backup file will have a .bin extension. Anomalous config restore operations (operation=restore) shortly after a backup download (operation=backup) on the same session are a strong behavioral indicator. ↗
- ·Exploitation requires valid authentication credentials (admin password) to the router web interface before the malicious backup can be uploaded. ↗
- ·The exploit targets TP-Link Router AX50 firmware version 210730 and older only; newer firmware versions are not confirmed vulnerable. ↗
- ·The payload is embedded inside the router's own decrypted XML config and re-encrypted before upload, meaning static file scanning of the .bin archive without decryption will not reveal the malicious content. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
vulncheck8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-v9jp-6f8q-2xfm: In TP-Link Router AX50 firmware 210730 and older, import of a malicious backup file via web interface can lead to remote code execution due to imprope
ghsa_unreviewed·2022-06-10
CVE-2022-30075 [HIGH] GHSA-v9jp-6f8q-2xfm: In TP-Link Router AX50 firmware 210730 and older, import of a malicious backup file via web interface can lead to remote code execution due to imprope
In TP-Link Router AX50 firmware 210730 and older, import of a malicious backup file via web interface can lead to remote code execution due to improper validation.
VulnCheck
TP-Link Router AX50 Authenticated Remote Code Execution Vulnerability
vulncheck·2022·CVSS 8.8
CVE-2022-30075 [HIGH] TP-Link Router AX50 Authenticated Remote Code Execution Vulnerability
TP-Link Router AX50 Authenticated Remote Code Execution Vulnerability
In TP-Link Router AX50 firmware 210730 and older, import of a malicious backup file via web interface can lead to remote code execution due to improper validation.
Affected: TP-Link archer_ax50_firmware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.aquasec.com/blog/matrix-unleashes-a-new-widespread-ddos-campaign/
Exploit PoC: https://vulncheck.com/xdb/37e9dfd2edf1; https://vulncheck.com/xdb/b9fd6e2d6f15; https://vulncheck.com/xdb/941952aea6f9; https://vulncheck.com/xdb/18b79bacc0f5
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/167522/TP-Link-AX50-Remote-Code-Execution.htmlhttp://tp-link.comhttps://github.com/aaronsvkhttps://github.com/aaronsvk/CVE-2022-30075https://www.exploit-db.com/exploits/50962http://packetstormsecurity.com/files/167522/TP-Link-AX50-Remote-Code-Execution.htmlhttp://tp-link.comhttps://github.com/aaronsvkhttps://github.com/aaronsvk/CVE-2022-30075https://www.exploit-db.com/exploits/50962
2022-06-09
Published
Exploited in the wild