CVE-2024-5035

The TP-Link Archer C5400X exposes the rftest binary as a network service on TCP ports 8888, 8889, and 8890. The service restricts accepted commands to those beginning with wl or nvram get, but this restriction can be trivially bypassed by injecting additional commands after shell metacharacters — allowing unauthenticated remote code execution from the local network.

Discovered by ONEKEY Research.

The command filter blocks anything that doesn't start with wl or nvram get, but shell metacharacters (;, &, |) break out of the restriction:

echo "wl;id;" | nc <target> 8888

The author notes difficulty reproducing this on comparable TP-Link devices, and FirmAE does not support emulation of the Archer C5400X model.

1. [1]CVE-2024-5035 — NIST
2. [2]ONEKEY — CVE-2024-5035 advisory