CVE-2024-57049
published 2025-02-18CVE-2024-57049: A vulnerability in the TP-Link Archer c20 router with firmware version V6.6_230412 and earlier permits unauthorized individuals to bypass the authentication of…
PriorityP187critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
3.21%
86.6th percentile
A vulnerability in the TP-Link Archer c20 router with firmware version V6.6_230412 and earlier permits unauthorized individuals to bypass the authentication of some interfaces under the /cgi directory. When adding Referer: http://tplinkwifi.net to the the request, it will be recognized as passing the authentication. NOTE: this is disputed by the Supplier because the response to the API call is only "non-sensitive UI initialization variables."
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| tp-link | archer_c20_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
$.ret=0;
- →Detect authentication bypass attempts by monitoring HTTP requests to paths under /cgi that include a 'Referer: http://tplinkwifi.net' header from external/untrusted sources. ↗
- →A successful bypass response will return HTTP 200 with Content-Type 'application/javascript' and a body containing both '$.ret=0;' and 'var ' strings. ↗
- →FOFA fingerprinting query 'body="Archer C20"' can be used to identify exposed TP-Link Archer C20 devices on the internet for targeted scanning. ↗
- →The specific vulnerable endpoint confirmed in PoC is POST /cgi/getGDPRParm; monitor for unauthenticated POST requests to this path. ↗
- ·The supplier disputes the severity of this vulnerability, claiming the accessible data is limited to non-sensitive UI initialization variables, not full administrative access. ↗
- ·The authentication bypass applies to firmware version V6.6_230412 and earlier; devices on later firmware versions may not be affected. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
TP-LINK Archer C20 up to 6.6_230412 /cgi improper authentication
vuldb·2026-07-01
CVE-2024-57049 [CRITICAL] TP-LINK Archer C20 up to 6.6_230412 /cgi improper authentication
This issue is likely a false positive. Please verify the cited sources and consider not including this entry.
GHSA
GHSA-qr32-fcm4-m5h9: A vulnerability in the TP-Link Archer c20 router with firmware version V6
ghsa_unreviewed·2025-02-18
CVE-2024-57049 [CRITICAL] CWE-287 GHSA-qr32-fcm4-m5h9: A vulnerability in the TP-Link Archer c20 router with firmware version V6
A vulnerability in the TP-Link Archer c20 router with firmware version V6.6_230412 and earlier permits unauthorized individuals to bypass the authentication of some interfaces under the /cgi directory. When adding Referer: http://tplinkwifi.net to the the request, it will be recognized as passing the authentication.
VulnCheck
TP-Link archer_c20_firmware Improper Authentication
vulncheck·2024·CVSS 9.8
CVE-2024-57049 [CRITICAL] TP-Link archer_c20_firmware Improper Authentication
TP-Link archer_c20_firmware Improper Authentication
A vulnerability in the TP-Link Archer c20 router with firmware version V6.6_230412 and earlier permits unauthorized individuals to bypass the authentication of some interfaces under the /cgi directory. When adding Referer: http://tplinkwifi.net to the the request, it will be recognized as passing the authentication. NOTE: this is disputed by the Supplier because the response to the API call is only "non-sensitive UI initialization variables."
Affected: TP-Link Archer c20 Router
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=20
Suricata
ET WEB_SPECIFIC_APPS TP-Link Authentication Bypass Attempt (CVE-2024-57050,2024-57049)
suricata·2025-04-07·CVSS 9.8
CVE-2024-57050 [CRITICAL] ET WEB_SPECIFIC_APPS TP-Link Authentication Bypass Attempt (CVE-2024-57050,2024-57049)
ET WEB_SPECIFIC_APPS TP-Link Authentication Bypass Attempt (CVE-2024-57050,2024-57049)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS TP-Link Authentication Bypass Attempt (CVE-2024-57050,2024-57049)"; flow:established,to_server; http.referer; content:"http|3a 2f 2f|tplinkwifi.net"; reference:cve,2024-57050; reference:url,github.com/Shuanunio/CVE_Requests/blob/main/TP-Link/WR840N%20v6/ACL%20bypass%20Vulnerability%20in%20TP-Link%20TL-WR840N.md; classtype:attempted-admin; sid:2061360; rev:1; metadata:affected_product TPLINK, attack_target Networking_Equipment, tls_state plaintext, created_at 2025_04_07, cve CVE_2024_57050_CVE_2024_57049, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, updated_at
Nuclei
TP-Link Archer C20 - Authentication Bypass
nuclei·CVSS 9.8
CVE-2024-57049 [CRITICAL] TP-Link Archer C20 - Authentication Bypass
TP-Link Archer C20 - Authentication Bypass
A vulnerability in the TP-Link Archer C20 router with firmware version V6.6_230412 and earlier permits unauthorized individuals to bypass authentication on interfaces under the /cgi directory. When adding a Referer header with value "http://tplinkwifi.net" to requests, the router will recognize the request as passing authentication, allowing access to protected administration interfaces.
Template:
id: CVE-2024-57049
info:
name: TP-Link Archer C20 - Authentication Bypass
author: ritikchaddha
severity: critical
description: |
A vulnerability in the TP-Link Archer C20 router with firmware version V6.6_230412 and earlier permits unauthorized individuals to bypass authentication on interfaces under the /cgi directory. When adding a Referer header w
No writeups or analysis indexed.
2025-02-18
Published
Exploited in the wild