CVE-2024-53375
published 2024-12-02CVE-2024-53375: An Authenticated Remote Code Execution (RCE) vulnerability affects the TP-Link Archer router series. A vulnerability exists in the "tmp_get_sites" function of…
PriorityP278high8CVSS 3.1
AVAACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
40.68%
98.5th percentile
An Authenticated Remote Code Execution (RCE) vulnerability affects the TP-Link Archer router series. A vulnerability exists in the "tmp_get_sites" function of the HomeShield functionality provided by TP-Link. This vulnerability is still exploitable without the activation of the HomeShield functionality.
Detection & IOCsextracted from sources · hover to see the quote
- →Check Point IPS signature available for CVE-2024-53375 targeting TP-Link Archer routers ↗
- →CVE-2024-53375 is being actively exploited by the Mirai-based ShadowV2 botnet alongside other IoT vulnerabilities for DDoS campaigns ↗
- →Vulnerability resides in the 'tmp_get_sites' function of the HomeShield functionality on TP-Link Archer routers; exploitable even without HomeShield activation ↗
- ·The RCE vulnerability requires authentication to exploit, limiting unauthenticated attack surface ↗
- ·HomeShield feature does NOT need to be enabled for the vulnerability to be exploitable — disabling HomeShield is not a sufficient mitigation ↗
CVSS provenance
nvdv3.18.0HIGHCVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vulncheck8.0HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-wx8m-vcrx-w4p5: Authenticated remote code execution (RCE) vulnerabilities affect TP-Link Archer, Deco, and Tapo series routers
ghsa_unreviewed·2024-12-03
CVE-2024-53375 [HIGH] CWE-78 GHSA-wx8m-vcrx-w4p5: Authenticated remote code execution (RCE) vulnerabilities affect TP-Link Archer, Deco, and Tapo series routers
Authenticated remote code execution (RCE) vulnerabilities affect TP-Link Archer, Deco, and Tapo series routers. A vulnerability exists in the "tmp_get_sites" function of the HomeShield functionality provided by TP-Link. This vulnerability is still exploitable without the installation or activation of the HomeShield functionality.
VulnCheck
TP-Link archer_axe75_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
vulncheck·2024·CVSS 8.0
CVE-2024-53375 [HIGH] TP-Link archer_axe75_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
TP-Link archer_axe75_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
An Authenticated Remote Code Execution (RCE) vulnerability affects the TP-Link Archer router series. A vulnerability exists in the "tmp_get_sites" function of the HomeShield functionality provided by TP-Link. This vulnerability is still exploitable without the activation of the HomeShield functionality.
Affected: TP-Link archer_axe75_firmware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.fortinet.com/blog/threat-research/shadowv2-casts-a-shadow-over-iot-devices
Exploit PoC: https://vulncheck.com/xdb/d0dc4b354ca7
No detection rules found.
No public exploits indexed.
Checkpoint
1st December – Threat Intelligence Report
blogs_checkpoint·2025-12-01
CVE-2024-10914 1st December – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 1st December – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 1st December, please download our Threat Intelligence Bulletin .
TOP ATTACKS AND BREACHES
OpenAI has experienced a data breach resulting from a compromise at third-party analytics provider Mixpanel, which exposed limited information of some ChatGPT API clients. The leaked data includes names, email addresses, approximate location, operating system, browser information, referring websites, and organization or u
Fortinet
ShadowV2 Casts a Shadow Over IoT Devices | FortiGuard Lab
blogs_fortinet·2025-11-26
ShadowV2 Casts a Shadow Over IoT Devices | FortiGuard Lab
FORTIGUARD LABS THREAT RESEARCH
ShadowV2 Casts a Shadow Over IoT Devices | FortiGuard Lab
Inside the Latest Mirai Variant Targeting IoT Devices Worldwide
FORTIGUARD SECURITY PORTFOLIO 2025 THREAT LANDSCAPE REPORT
Incidents
Malware Analysis
Conclusion
Fortinet Protections
IOCs
Hosts
Files
By Vincent Li | November 26, 2025
Affected Platforms: DD-WRT 24 sp1, D-Link DNS-320 FW v2.06B01 Revision Ax, D-Link Go-RT-AC750 GORTAC750_revA_v101b03, D-Link GO-RT-AC750_revB_FWv200b02, Digiever DS-2105 Pro 3.1.0.71-11, TBK DVR-4104, TBK DVR-4216, D-Link DNS-320, D-Link DNS-320LW, D-Link DNS-325, D-Link DNS-340L, TP-Link Archer router series
Impacted Users: Any organization
Impact: Remote attackers gain control of the vulnerable systems
Severity Level: High
At the end of October, during a global disr
Bleepingcomputer
New ShadowV2 botnet malware used AWS outage as a test opportunity
blogs_bleepingcomputer·2025-11-26·CVSS 8.3
[HIGH] New ShadowV2 botnet malware used AWS outage as a test opportunity
## New ShadowV2 botnet malware used AWS outage as a test opportunity
## Bill Toulas
A new Mirai-based botnet malware named ‘ShadowV2’ has been observed targeting IoT devices from D-Link, TP-Link, and other vendors with exploits for known vulnerabilities.
Fortinet’s FortiGuard Labs researchers spotted the activity during the major AWS outage in October . Although the two incidents are not connected, the botnet was active only for the duration of the outage, which may indicate that it was a test run.
ShadowV2 spread by leveraging at least eight vulnerabilities in multiple IoT products:
DD-WRT (CVE-2009-2765)
D-Link (CVE-2020-25506, CVE-2022-37055, CVE-2024-10914, CVE-2024-10915)
DigiEver (CVE-2023-52163)
TBK (CVE-2024-3721)
TP-Link (CVE-2024-53375)
Among these flaws, CVE-2024-10914
2024-12-02
Published
Exploited in the wild