CVE-2024-5035

TP-Link Archer C5400X, prior to release Archer C5400X(EU)_V1_1.1.7 Build 20240510, is vulnerable to remote code execution through the rftest binary exposed on TCP port 8888, 8889 and 8890.

Proof-of-Concept

The network service restricts commands to those beginning with "wl" or "nvram get," but researchers at ONEKEY discovered this limitation "could be trivially bypassed by injecting a command after shell meta-characters like ; , & , or, | (e.g., "wl;id;")."

The documentation author notes difficulty reproducing this exploit on comparable TP-Link devices, and indicates that FirmAE does not support emulation of the Archer C5400X model.

Disclaimer

All content published on exploit.se is intended strictly for educational and informational purposes. Research is conducted responsibly under coordinated disclosure principles.

Techniques, tools, and writeups shared on this site are meant to advance the security community's understanding of vulnerabilities and defences. They are not intended to encourage or enable unauthorised access to any system.

The author bears no responsibility for any misuse of information presented here.

Cookie Settings

This site does not use cookies, analytics, or any third-party tracking technologies.

No personal data is collected. No fingerprinting. No ads. You are not the product.


 ██╗ ██████╗ ███████╗██╗███████╗███╗   ██╗██████╗
 ██║██╔═══██╗██╔════╝██║██╔════╝████╗  ██║██╔══██╗
 ██║██║   ██║█████╗  ██║█████╗  ██╔██╗ ██║██║  ██║
 ██║██║   ██║██╔══╝  ██║██╔══╝  ██║╚██╗██║██║  ██║
 ██║╚██████╔╝██║     ██║███████╗██║ ╚████║██████╔╝
 ╚═╝ ╚═════╝ ╚═╝     ╚═╝╚══════╝╚═╝  ╚═══╝╚═════╝

You found me.

↑↑↓↓←→←→ B A · click to close