TP-Link CWMP Binary Stack-Based Buffer Overflow Vulnerability in AX10 and AX1500 Routers Allowing Authenticated Remote Code Execution

A stack-based buffer overflow vulnerability has been identified in the CWMP (TR-069) implementation of TP-Link Archer AX10 and AX1500 routers. This vulnerability allows authenticated attackers to execute arbitrary code remotely, but requires a Man-In-The-Middle (MITM) attack to exploit. The issue is present in multiple firmware versions across different hardware releases of the affected router models.

Impact

Exploitation of this vulnerability leads to unauthorized remote code execution on the affected router, with the executed code running with root privileges.

Reproduction

The vulnerability can be reproduced by sending a crafted CWMP SOAP message, specifically one that includes the 'SetParameterValues' operation. This message must be intercepted and modified during transmission to exploit the buffer overflow. The CWMP service on the router will process the message, leading to a stack-based buffer overflow that can be exploited to execute arbitrary code.

Remediation

Users are advised to update their routers to the latest firmware version. For the AX10, this means updating to version 1.2.1 or later. AX1500 users should update to version 1.3.12 or later.