Skip to content

TP-Link router exposed to RCE attack; patch issued

  • by
  • 3 min read

TP-Link Archer C5400X tri-band gaming router’s firmware is vulnerable to the CVE-2024-5035 vulnerability that could allow remote, unauthenticated attackers to control the device via command injection and buffer overflow attacks.

The rftest binary is crucial for the router’s wireless interface self-assessment. During the device’s initialisation, this binary is launched and exposes a network listener on TCP ports 8888, 8889, and 8890. The issue arises because user-controlled input from the TCP socket on port 8888 is not properly sanitised before being passed to system calls.

The command injection vulnerability in the rftest binary is particularly concerning. When the device boots up, the /etc/init.d/wireless init script is executed, which eventually leads to the launching of the rftest binary through a series of script calls.

The attack chain explained. | Source: OneKey

“By successfully exploiting this flaw, remote unauthenticated attackers can gain arbitrary command execution on the device with elevated privileges. It’s unclear whether the binary is always launched and whether it is always exposed on LAN/WAN interfaces,” said researchers from OneKey.

The rftest binary starts a TCP server on port 8888, accepting specific commands. However, this service can be exploited by infecting commands using shell meta-characters like ;, &, or |.

Command injection via port 8888. | Source: OneKey

A remote attacker can connect to the service on port 8888 and inject a command to gain unauthorised access. For example, by sending a crafted input containing an ID, the attackers can execute the ID command on the device, revealing the user identity running the process.

To fix this flaw, TP-Link released a firmware update (version 1_1.2.7) to address these issues. This update mitigates the command injection vulnerability by filtering out any input containing shell meta-characters.

Cybersecurity researchers have recommended that users immediately upgrade to the latest firmware version, segment the network to limit exposure and reduce the risk of lateral movement in case of a breach, and conduct regular security audits.

In the News: Sav-Rx data breach exposes personal info of 2.8 million people

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: