CVE-2023-27359
published 2024-05-03CVE-2023-27359: TP-Link AX1800 hotplugd Firewall Rule Race Condition Vulnerability. This vulnerability allows remote attackers to gain access to LAN-side services on affected…
PriorityP258high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
EPSS
1.16%
63.1th percentile
TP-Link AX1800 hotplugd Firewall Rule Race Condition Vulnerability. This vulnerability allows remote attackers to gain access to LAN-side services on affected installations of TP-Link Archer AX21 routers. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the hotplugd daemon. The issue results from firewall rule handling that allows an attacker access to resources that should be available to the LAN interface only. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the root user.
. Was ZDI-CAN-19664.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| tp-link | archer_ax21_firmware | — | — |
| tp-link | ax1800 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect POST requests to the /cgi-bin/luci/;stok=/locale?form=country endpoint with the 'operation=write' parameter, especially when the 'country' parameter contains shell metacharacters or command substitution syntax (e.g., $(...)). ↗
- →Exploitation requires two sequential POST requests to the same endpoint; alert on repeated POST requests to /cgi-bin/luci/;stok=/locale?form=country from the same source IP in a short time window. ↗
- →CVE-2023-27359 (hotplugd firewall race condition) is used in conjunction with the command injection to enable exploitation from the WAN interface; monitor for unauthenticated access attempts to LAN-only services from WAN-side IPs. ↗
- →The hotplugd daemon on TP-Link Archer AX21 mishandles firewall rules, temporarily exposing LAN-side services to WAN; monitor for unexpected firewall rule changes or hotplugd process anomalies on affected devices. ↗
- ·The command injection payload is only executed on the SECOND POST request to the country endpoint; a single request is not sufficient for exploitation. ↗
- ·CVE-2023-27359 alone only exposes LAN-side services; it must be chained with the command injection vulnerability (ZDI-23-451) to achieve unauthenticated RCE from the WAN. ↗
- ·TP-Link firmware version 1.1.4 Build 20230219 fixes the command injection by removing the vulnerable callback; patched devices are not susceptible to the chained WAN-side attack. ↗
CVSS provenance
nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
2024-05-03
Published