CVE-2024-12344
published 2024-12-08CVE-2024-12344: A vulnerability, which was classified as critical, was found in TP-Link VN020 F3v(T) TT_V6.2.1021. This affects an unknown part of the component FTP USER…
PriorityP268critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
1.81%
75.8th percentile
A vulnerability, which was classified as critical, was found in TP-Link VN020 F3v(T) TT_V6.2.1021. This affects an unknown part of the component FTP USER Command Handler. The manipulation leads to memory corruption. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| tp-link | vn020_f3v | — | — |
| tp-link | vn020_f3v_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect oversized FTP USER commands (>=1100 bytes) sent to port 21 targeting TP-Link VN020 devices; payloads of 1100 bytes cause a delayed crash (5-10s) and 1450 bytes cause an immediate crash. ↗
- →Alert on FTP USER command payloads consisting of long repetitive byte sequences (e.g., 1450 'A' characters) sent to port 21 from unauthenticated sessions. ↗
- →Monitor for ICMP echo requests immediately following an FTP connection attempt to port 21 on the same target IP — the PoC uses ICMP ping to confirm device crash post-exploitation. ↗
- ·The hardcoded target IP in the PoC (192.168.1.1) is the default gateway address for TP-Link VN020 routers; real-world attackers may target any IP where the device is reachable, so detections should not be scoped solely to this IP. ↗
- ·The exploit is confirmed only against hardware version 1.0 of the VN020-F3v(T) running firmware TT_V6.2.1021; behavior on other hardware revisions or firmware versions is unconfirmed. ↗
- ·Payloads exceeding 1450 bytes produce undefined behavior/state corruption rather than a clean crash, meaning the device may remain partially responsive and evade crash-based detection heuristics. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.05.3MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2024-12-08
Published