CVE-2020-35575

Vulnerability

A password-disclosure vulnerability exists in the web interface of numerous TP-Link devices. The issue allows an unauthenticated remote attacker to retrieve the administrative password, thereby gaining full access to the web panel. Affected models include WA901ND (before firmware version 3.16.9(201211) beta), Archer C5, Archer C7, MR3420, MR6400, WA701ND, WA801ND, WDR3500, WDR3600, WE843N, WR1043ND, WR1045ND, WR740N, WR741ND, WR749N, WR802N, WR840N, WR841HP, WR841N, WR842N, WR842ND, WR845N, WR940N, WR941HP, WR945N, WR949N, and WRD4300 [2].

Exploitation

An attacker with network access to the device's web interface can exploit this flaw without any prior authentication. By sending a specially crafted request or simply accessing a particular endpoint, the attacker can retrieve the administrator password in plaintext. No user interaction or special privileges are required [2].

Impact

Successful exploitation grants the attacker full administrative control over the affected TP-Link device. This includes the ability to modify configuration, change network settings, intercept traffic, and potentially pivot to other devices on the network. The confidentiality, integrity, and availability of the device and connected systems are compromised [2].

Mitigation

TP-Link has acknowledged the vulnerability and released a beta firmware version 3.16.9(201211) beta for the WA901ND model [2]. For other affected devices, no official fixed firmware version has been publicly listed as of the publication date. Users are advised to check TP-Link's security advisory page [1] for updates and to apply any available patches. If no fix is available, consider restricting network access to the web interface or placing the device behind a firewall [1][2].