CVE-2021-37774

Vulnerability

In TP-Link TL-WDR7660 firmware version 2.0.30 (and likely other WR/WDR series routers), the httpProcDataSrv function in the web server processes JSON data from HTTP POST requests. The vulnerability occurs when the JSON contains specific strings such as cfgsync and do, which bypasses the httpDoAuthorize authentication check. This allows the processing of maliciously crafted requests without proper authorization. The issue affects both Linux and VxWorks based models, with WDR7660 being a confirmed example [1].

Exploitation

An attacker with network access to the router's LAN interface can send an HTTP POST request to the /ds endpoint with a JSON payload. The provided proof-of-concept uses a payload containing {"system":{"reset":null},"method":"do", "cfgsync":{"get_config_info":null}}. No authentication is required due to the authorization bypass in httpProcDataSrv. The attacker does not need any privileges or user interaction [1].

Impact

Successful exploitation allows an unauthenticated attacker to execute arbitrary commands on the affected router. This can lead to full compromise of the device, including data exfiltration, code execution, and potential further network attacks. The CVSS v3.1 base score is 9.8 (Critical) indicating a high impact on confidentiality, integrity, and availability [1].

Mitigation

As of the publication date (2023-01-19), no official firmware patch from TP-Link has been publicly released. The vulnerability was reported to TP-Link in July 2021 and acknowledged in August 2021, but no fix has been confirmed. Users are advised to restrict LAN access to the router's web interface, use VLAN segmentation to isolate affected devices, and monitor TP-Link's security advisories for a future update. The CVE is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of this writing [1].