CVE-2021-27209

Vulnerability

The TP-Link Archer C5v (hardware version v1, firmware version 1.7_181221) stores the authenticated user's credentials within the management interface's cookie by encoding them with base64 [1]. This cookie is transmitted over cleartext HTTP, as the device does not use SSL by default [1]. When the cookie is decoded, the user's username and password are visible in plaintext [1].

Exploitation

An attacker on the same local network as the device can monitor HTTP traffic using packet capture tools. By intercepting the management session's cookie, the attacker can decode the base64 string to obtain the cleartext username and password [1]. No authentication or user interaction beyond normal device use is required; the attacker simply needs network access to observe traffic [1].

Impact

Successful exploitation allows the attacker to gain the administrator's credentials for the management interface [1]. This grants full administrative access to the device, enabling configuration changes, data exfiltration, or further network compromise [1].

Mitigation

As of the available references, no firmware update or official patch has been released to address this issue [1]. Users are advised to restrict access to the management interface to trusted networks only, use VPN or other encrypted tunnels for management traffic, or consider replacing the device if continued use is deemed a risk [1].