cbcvebase.
CVE-2022-48194
published 2022-12-30

CVE-2022-48194: TP-Link TL-WR902AC devices through V3 0.9.1 allow remote authenticated attackers to execute arbitrary code or cause a Denial of Service (DoS) by uploading a…

PriorityP269high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
33.48%
98.2th percentile
TP-Link TL-WR902AC devices through V3 0.9.1 allow remote authenticated attackers to execute arbitrary code or cause a Denial of Service (DoS) by uploading a crafted firmware update because the signature check is inadequate.

Affected

1 ranges
VendorProductVersion rangeFixed in
tp-linktl-wr902ac_firmware<= 3.0.9.1

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://192.168.0.1/cgi/softup
path/cgi/softup
path/cgi/login
path/cgi/getParm
cookieJSESSIONID
  • Monitor for HTTP POST requests to /cgi/softup with a multipart file upload containing a firmware binary (filename field). This is the exploit's firmware upload endpoint used to deliver the malicious firmware.
  • Detect HTTP POST to /cgi/_gdpr with a body containing both 'sign=' and 'data=' fields — this is the encrypted command channel used by the exploit for authentication and session setup.
  • Alert on outbound or inbound TCP connections on port 3030 from/to a TP-Link TL-WR902AC device IP, which indicates a successful backdoor shell listener established by the malicious firmware.
  • Inspect uploaded firmware binaries for the presence of /etc/init.d/back startup script or modification of /etc/init.d/rcS to include '/etc/init.d/back &' — these are persistence indicators injected by the exploit.
  • The exploit uses a hardcoded AES key '7765636728821987' and IV '8775677306058909' for encrypting CGI request data. Network signatures can match these literal strings in HTTP POST bodies to /cgi/ endpoints.
  • The Referer header 'http://192.168.0.1/mainFrame.htm' is set on the malicious firmware upload POST request and can be used as a supplementary detection signal alongside the /cgi/softup endpoint.
  • ·The exploit targets only authenticated sessions — an attacker must first obtain valid credentials (default: admin/admin) before exploiting the firmware upload endpoint. Detection should account for prior authentication attempts.
  • ·The exploit is confirmed against firmware version TL-WR902AC(EU)_V3_0.9.1 Build 220329 only; other hardware versions or firmware builds may behave differently.
  • ·The vulnerability is described as affecting devices 'through V3 0.9.1', meaning all firmware versions up to and including this build are potentially vulnerable, not just the tested version.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.