cbcvebase.
CVE-2023-36355
published 2023-06-22

CVE-2023-36355: TP-Link TL-WR940N V4 was discovered to contain a buffer overflow via the ipStart parameter at /userRpm/WanDynamicIpV6CfgRpm. This vulnerability allows…

PriorityP270critical9.9CVSS 3.1
AVNACLPRLUINSCCHIHAH
EXPLOIT
EPSS
31.73%
98.1th percentile
TP-Link TL-WR940N V4 was discovered to contain a buffer overflow via the ipStart parameter at /userRpm/WanDynamicIpV6CfgRpm. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted GET request.

Detection & IOCsextracted from sources · hover to see the quote

url/userRpm/WanDynamicIpV6CfgRpm?ipStart=
path/userRpm/WanDynamicIpV6CfgRpm
commandGET /userRpm/WanDynamicIpV6CfgRpm?ipStart=AAAA...A (5000 bytes)
  • Alert on HTTP GET requests to /userRpm/WanDynamicIpV6CfgRpm containing an abnormally long ipStart parameter value (e.g., >1000 characters), indicative of a buffer overflow attempt against TP-Link TL-WR940N V4.
  • Monitor for repeated or large GET requests targeting the path /userRpm/WanDynamicIpV6CfgRpm on TP-Link router management interfaces, particularly from external or untrusted network segments.
  • Detect GET requests where the ipStart query parameter contains a long repetitive character sequence (e.g., 5000 'A' characters), which is the proof-of-concept trigger for this DoS buffer overflow.
  • ·The exploit targets TP-Link TL-WR940N V4 specifically; other hardware versions of the same model may not be affected.
  • ·The proof-of-concept uses a default router IP of 192.168.0.1; detection rules should not be scoped solely to this IP, as the management interface may be reachable on other addresses.
  • ·The payload length of 5000 bytes is noted as an example in the PoC; real-world attacks may use different lengths, so detection thresholds should be tuned conservatively.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.