CVE-2018-19537

Vulnerability

The TP-Link Archer C5 router (firmware versions through V2_160201_US, and possibly all published versions) contains a remote command execution vulnerability in the configuration file upload functionality. When an authenticated user restores a configuration file, the router does not properly sanitize the wan_dyn_hostname parameter, allowing injection of OS commands via shell metacharacters [1]. The configuration file is DES-encrypted with a hard-coded key (478DA50BF9E3D2CF), but this key is known and can be used to craft malicious files.

Exploitation

An attacker needs administrative access to the router's web GUI (default credentials may be admin:admin in some cases). The attacker first downloads a legitimate configuration file via GET /userRpm/config.bin [1]. They then decrypt the file using the known hard-coded key, inject commands into the wan_dyn_hostname line, re-encrypt it, and upload the modified configuration through the web interface [1]. The injected commands are executed with root privileges upon restoration.

Impact

Successful exploitation grants the attacker remote command execution as root on the device. This leads to full compromise of the router, including the ability to exfiltrate data, install malware, pivot to internal networks, or disrupt network operations.

Mitigation

As of the publication date, no firmware fix has been released. Users should change the default admin password to a strong one and, if possible, restrict access to the web GUI to trusted local networks only. Disabling remote administration is also recommended.