VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 20, 2022· Updated Apr 16, 2025

CVE-2022-46910

CVE-2022-46910

Description

TP-Link TL-WA901N/ND access points up to firmware 3.11.2/3.12.16 are vulnerable to arbitrary code execution or DoS via a crafted firmware image that bypasses integrity checks.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

TP-Link TL-WA901N/ND access points up to firmware 3.11.2/3.12.16 are vulnerable to arbitrary code execution or DoS via a crafted firmware image that bypasses integrity checks.

Vulnerability

The firmware update process in TP-Link TL-WA901ND V1 up to v3.11.2 and TL-WA901N V2 up to v3.12.16 does not properly verify the integrity of uploaded firmware images. The firmware image structure includes headers containing MD5 checksums, but an attacker can craft a malicious image that bypasses this verification [2]. The vulnerability is present in the upgradeFirmware function, which computes checksums and compares them against the values in the image headers; however, the checks are insufficient to prevent a tampered image from being accepted [2].

Exploitation

An attacker can exploit this vulnerability during a firmware update by replacing the legitimate firmware image uploaded by an administrator with a specially crafted malicious image. This requires the attacker to have network access to intercept or modify the firmware upload (e.g., man-in-the-middle position) or to trick the administrator into directly uploading the malicious file via the device's web interface [2]. No authentication beyond the administrator's session for the firmware update is required; the attacker does not need prior authenticated access to the device if they can control the upload path [2].

Impact

Successful exploitation allows an attacker to install arbitrary firmware, leading to either denial-of-service (DoS) by corrupting the device, or execution of malicious code (including backdoors or malware) at the privilege level of the system firmware [2]. This compromises the confidentiality, integrity, and availability of the device and potentially the network it serves [2].

Mitigation

TP-Link has not publicly released a security advisory with a fixed firmware version as of the publication date [1]. Users are advised to check the TP-Link security advisory page for updates [1]. Until a patch is available, mitigating this risk includes restricting network access to the device's management interface, using strong passwords, and only performing firmware updates over trusted networks [2].

References
  1. TP-Link
  2. A Firmware Modification Vulnerability During Firmware Update in TP-Link TL-WA901N / TL-WA901ND Wireless Access Point - HackMD

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing cryptographic signature verification and use of plain HTTP for firmware delivery allow an on-path attacker to modify the firmware image and recalculate its MD5 checksums to bypass integrity checks."

Attack vector

An attacker with a privileged network position (obtained via ARP spoofing, DNS spoofing, or similar techniques) intercepts the firmware image that a user uploads via the device's web interface over plain HTTP. The attacker modifies arbitrary bytes in the kernel portion of the image (e.g., 4 bytes at offset 0x20800) and recalculates the MD5 checksums in the firmware headers to match the altered content. Because the device's `upgradeFirmware` function only verifies the MD5 digest against the header value and does not perform any cryptographic signature check, the crafted image passes validation and is flashed onto the device, resulting in arbitrary code execution or denial of service [ref_id=1].

Affected code

The firmware update verification function `upgradeFirmware` (decompiled in the advisory) validates the uploaded image by comparing MD5 checksums stored in the firmware headers against computed digests. The entire firmware delivery path uses plain HTTP with no cryptographic signature verification, and the checksum fields themselves are modifiable by an attacker with network access [ref_id=1].

What the fix does

The advisory does not provide a vendor patch or fixed firmware version. The recommended remediation is to replace the plain-HTTP firmware delivery with a cryptographically signed update mechanism that prevents an intermediary from tampering with the image. Without a digital signature, an attacker who can intercept the HTTP traffic can always modify the firmware and recalculate the MD5 checksums to bypass the existing integrity check [ref_id=1].

Preconditions

  • networkAttacker must be on the same network segment as the TP-Link device or be able to intercept HTTP traffic (e.g., via ARP spoofing or DNS spoofing).
  • inputA legitimate user must initiate a firmware update via the device's web interface, uploading a firmware image over plain HTTP.

Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.