CVE-2022-48194
published 2022-12-30CVE-2022-48194: TP-Link TL-WR902AC devices through V3 0.9.1 allow remote authenticated attackers to execute arbitrary code or cause a Denial of Service (DoS) by uploading a…
PriorityP269high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
33.48%
98.2th percentile
TP-Link TL-WR902AC devices through V3 0.9.1 allow remote authenticated attackers to execute arbitrary code or cause a Denial of Service (DoS) by uploading a crafted firmware update because the signature check is inadequate.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| tp-link | tl-wr902ac_firmware | <= 3.0.9.1 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for HTTP POST requests to /cgi/softup with a multipart file upload containing a firmware binary (filename field). This is the exploit's firmware upload endpoint used to deliver the malicious firmware. ↗
- →Detect HTTP POST to /cgi/_gdpr with a body containing both 'sign=' and 'data=' fields — this is the encrypted command channel used by the exploit for authentication and session setup. ↗
- →Alert on outbound or inbound TCP connections on port 3030 from/to a TP-Link TL-WR902AC device IP, which indicates a successful backdoor shell listener established by the malicious firmware. ↗
- →Inspect uploaded firmware binaries for the presence of /etc/init.d/back startup script or modification of /etc/init.d/rcS to include '/etc/init.d/back &' — these are persistence indicators injected by the exploit. ↗
- →The exploit uses a hardcoded AES key '7765636728821987' and IV '8775677306058909' for encrypting CGI request data. Network signatures can match these literal strings in HTTP POST bodies to /cgi/ endpoints. ↗
- →The Referer header 'http://192.168.0.1/mainFrame.htm' is set on the malicious firmware upload POST request and can be used as a supplementary detection signal alongside the /cgi/softup endpoint. ↗
- ·The exploit targets only authenticated sessions — an attacker must first obtain valid credentials (default: admin/admin) before exploiting the firmware upload endpoint. Detection should account for prior authentication attempts. ↗
- ·The exploit is confirmed against firmware version TL-WR902AC(EU)_V3_0.9.1 Build 220329 only; other hardware versions or firmware builds may behave differently. ↗
- ·The vulnerability is described as affecting devices 'through V3 0.9.1', meaning all firmware versions up to and including this build are potentially vulnerable, not just the tested version. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/171623/TP-Link-TL-WR902AC-Remote-Code-Execution.htmlhttps://github.com/otsmr/internet-of-vulnerable-things/tree/main/exploitshttp://packetstormsecurity.com/files/171623/TP-Link-TL-WR902AC-Remote-Code-Execution.htmlhttps://github.com/otsmr/internet-of-vulnerable-things/tree/main/exploits
2022-12-30
Published