# TP-Link - CVE-2024-5035

**TP-Link Archer C5400**<mark style="color:red;">**X**</mark>, prior to release `Archer C5400X(EU)_V1_1.1.7 Build 20240510`, is vulnerable to <mark style="color:red;">**remote code execution**</mark> through the `rftest` binary exposed on TCP port 8888, 8889 and 8890.

<figure><img src="https://2314265932-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FLZ9hPT4FtAP57VrTApYv%2Fuploads%2F3wtJqMhEG3UfARBey25u%2Frouter.webp?alt=media&#x26;token=f809a00c-b69f-4d34-a8f1-cf9aa6a94121" alt=""><figcaption></figcaption></figure>

## Proof-of-Concept

While the network service is designed to only accept commands that start with "[wl](https://wiki.dd-wrt.com/wiki/index.php/Wl_command)" or "[nvram get](https://wiki.dd-wrt.com/wiki/index.php/Hardware#NVRAM)," ONEKEY found that the restriction could be trivially bypassed by injecting a command after shell meta-characters like ; , & , or, | (e.g., "wl;id;").

<figure><img src="https://2314265932-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FLZ9hPT4FtAP57VrTApYv%2Fuploads%2F4C085KTMdYy9Y2r5a0F1%2Fimage.png?alt=media&#x26;token=50908123-8286-4afd-95ff-84ec6cc6e2db" alt=""><figcaption></figcaption></figure>

I have tried to emulate similar TP-Link devices, such as **Archer C5400**, but have not been able to reproduce the exploit. [FirmAE](https://0xpthree.gitbook.io/notes/development/docker/firmae-emulate-firmware) does not support emulation of Archer C5400X.