CVE ID: CVE-2023-28760

CVSS Score: 8.8, (/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Vendors: TP-Link

Affected Products: TP-Link Archer AX20, TP-Link Archer AX21 (Firmware 2.1.6 Build 20220128)

Vulnerability Details:

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of TP-Link Archer AX20 and AX21 routers. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the misconfiguration of the db_dir mindlnad setting. The issue results from the control of the minidlnad database file. An attacker can leverage this vulnerability to trigger a known stack based buffer overflow and execute code in the context of root.

Vendor Response:

TP-Link has issued an update to correct this vulnerability. More details can be found at:

Disclosure Timeline:

  • 2023-02-04 – Sent to TP-Link Support

  • 2023-03-12 – Sent follow up email inquiring about the status of the report

  • 2023-03-17 – Received a reply stating the firmware has been patched

  • 2023-03-18 – Sent a followup email inquiring about a public advisory to inform their customers

  • 2023-03-21 – TP-Link support state that they cannot provide any security advisory and suggests that Source Incite remind users to upgrade to the latest firmware

  • 2023-03-27 – Coordinated public release of advisory in order to remind users of an upgrade

Proof of Concept: /pocs/

Credit: This vulnerability was discovered by Rocco Calvi and Steven Seeley of Incite Team