TP-Link - CVE-2024-5035

TP-Link Archer C5400X, prior to release Archer C5400X(EU)_V1_1.1.7 Build 20240510, is vulnerable to remote code execution through the rftest binary exposed on TCP port 8888, 8889 and 8890.

Proof-of-Concept

While the network service is designed to only accept commands that start with "wl" or "nvram get," ONEKEY found that the restriction could be trivially bypassed by injecting a command after shell meta-characters like ; , & , or, | (e.g., "wl;id;").

I have tried to emulate similar TP-Link devices, such as Archer C5400, but have not been able to reproduce the exploit. FirmAE does not support emulation of Archer C5400X.