cbcvebase.
CVE-2024-57049
published 2025-02-18

CVE-2024-57049: A vulnerability in the TP-Link Archer c20 router with firmware version V6.6_230412 and earlier permits unauthorized individuals to bypass the authentication of…

PriorityP187critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
3.21%
86.6th percentile
A vulnerability in the TP-Link Archer c20 router with firmware version V6.6_230412 and earlier permits unauthorized individuals to bypass the authentication of some interfaces under the /cgi directory. When adding Referer: http://tplinkwifi.net to the the request, it will be recognized as passing the authentication. NOTE: this is disputed by the Supplier because the response to the API call is only "non-sensitive UI initialization variables."

Affected

1 ranges
VendorProductVersion rangeFixed in
tp-linkarcher_c20_firmware

Detection & IOCsextracted from sources · hover to see the quote

urlPOST /cgi/getGDPRParm HTTP/1.1
path/cgi/getGDPRParm
path/cgi
otherReferer: http://tplinkwifi.net
bytes
$.ret=0;
  • Detect authentication bypass attempts by monitoring HTTP requests to paths under /cgi that include a 'Referer: http://tplinkwifi.net' header from external/untrusted sources.
  • A successful bypass response will return HTTP 200 with Content-Type 'application/javascript' and a body containing both '$.ret=0;' and 'var ' strings.
  • FOFA fingerprinting query 'body="Archer C20"' can be used to identify exposed TP-Link Archer C20 devices on the internet for targeted scanning.
  • The specific vulnerable endpoint confirmed in PoC is POST /cgi/getGDPRParm; monitor for unauthenticated POST requests to this path.
  • ·The supplier disputes the severity of this vulnerability, claiming the accessible data is limited to non-sensitive UI initialization variables, not full administrative access.
  • ·The authentication bypass applies to firmware version V6.6_230412 and earlier; devices on later firmware versions may not be affected.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.