CVE-2021-44827
Description
Authenticated OS command injection in TP-Link Archer C20i router via X_TP_ExternalIPv6Address allows remote attackers to execute arbitrary commands as root.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Authenticated OS command injection in TP-Link Archer C20i router via X_TP_ExternalIPv6Address allows remote attackers to execute arbitrary commands as root.
Vulnerability
The TP-Link Archer C20i router running firmware version 0.9.1 3.2 v003a.0 Build 170221 Rel.55462n or older is vulnerable to authenticated OS command injection. The vulnerability resides in the web interface's network configuration management, specifically within the X_TP_ExternalIPv6Address HTTP parameter [2]. An attacker with valid administrative credentials can inject arbitrary OS commands into this parameter, which are then executed by the device without proper sanitization [1].
Exploitation
Exploitation requires an authenticated session with administrator-level access to the router's web interface. The attacker sends a crafted POST request to the /cgi?2&2 endpoint, embedding the malicious command in the X_TP_ExternalIPv6Address field. For example, injecting &telnetd -p 1024 -l sh& starts a telnet daemon on TCP port 1024 with a root shell accessible without a password [2]. The attack relies on the default web interface being accessible on the local network or a WAN-facing management interface [1].
Impact
Successful exploitation allows the attacker to execute arbitrary operating system commands with root privileges on the router. This grants full control over the device, enabling activities such as modifying network configurations, intercepting or redirecting traffic, installing persistent backdoors, or leveraging the router as a pivot point for further network attacks [2].
Mitigation
TP-Link provides a firmware update to address this vulnerability. The latest firmware version for the Archer C20i is available on the TP-Link support download page [2]. Users should update their device firmware immediately. If updating is not possible, restricting administrative web interface access to trusted IP addresses and disabling remote management are recommended workarounds [1]. The device is end-of-life (EOL) and may not receive further updates; users are advised to consider replacing it with a supported model [2].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- TP-Link/TP-Link Archer C20idescription
- Range: = 0.9.1 3.2 v003a.0 Build 170221 Rel.55462n
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization in the X_TP_ExternalIPv6Address parameter allows OS command injection."
Attack vector
An attacker must first authenticate with admin credentials to the router's web interface [ref_id=1]. The attacker then sends a crafted POST request to `/cgi?2&2` containing an OS command injection payload in the `X_TP_ExternalIPv6Address` parameter [ref_id=1]. The router unsafely passes this parameter to a shell command, allowing arbitrary command execution as root [ref_id=1]. The example payload `&telnetd -p 1024 -l sh&` starts a passwordless telnet daemon on TCP port 1024 [ref_id=1].
Affected code
The vulnerable parameter is `X_TP_ExternalIPv6Address` in the network interface configuration web request handler [ref_id=1]. The firmware version affected is 0.9.1 3.2 v003a.0 Build 170221 Rel.55462n or older on the TP-Link Archer C20i router [ref_id=1].
What the fix does
TP-Link released a fixed firmware, available from their support download page for the Archer C20i [ref_id=1]. The advisory does not include a patch diff, but the fix presumably sanitizes or escapes shell metacharacters in the `X_TP_ExternalIPv6Address` parameter before passing it to a system command [ref_id=1]. Users should update to the latest firmware to mitigate the vulnerability [ref_id=1].
Preconditions
- authAttacker must have valid admin credentials for the router's web interface
- networkAttacker must be able to reach the router's web interface over the network
- inputThe vulnerable parameter X_TP_ExternalIPv6Address is present in the network interface configuration form
Reproduction
Send an authenticated POST request to `/cgi?2&2` with a body containing the `X_TP_ExternalIPv6Address` parameter set to a command injection payload such as `&telnetd -p 1024 -l sh&` [ref_id=1]. The full request includes the required `WAN_ETH_INTF` and `WAN_IP_CONN` headers and a valid `Authorization` cookie with base64-encoded admin credentials [ref_id=1]. After the request, connect to the router on TCP port 1024 via telnet to obtain a root shell [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- full-disclosure.eumitrex_refsource_MISC
- full-disclosure.eu/reports/2022/CVE-2021-44827-tplink-authenticated-remote-code-execution.htmlmitrex_refsource_MISC
- www.tp-link.com/us/securitymitrex_refsource_MISC
News mentions
0No linked articles in our index yet.