CVE-2023-39224

Vulnerability

An OS command injection vulnerability (CWE-78) exists in the firmware of TP-Link Archer C5 (all versions) and Archer C7 (versions prior to Archer C7(JP)_V2_230602). The vulnerability allows a network-adjacent attacker with low-privilege authentication to inject arbitrary operating system commands through an unspecified input field or management interface that fails to sanitize user-supplied data. Archer C5 is end-of-life and will not receive a fix [2].

Exploitation

An attacker must be on the same local network as the target device (network-adjacent) and possess valid credentials for the router's administrative interface (low-privilege authentication). The exact attack vector is not publicly detailed, but typical OS command injection in TP-Link routers involves sending crafted input to a vulnerable CGI script or form parameter. No user interaction beyond the initial authentication is required [2].

Impact

Successful exploitation grants the attacker arbitrary OS command execution on the device with root privileges. This leads to full compromise of the router, including the ability to exfiltrate sensitive data, modify network traffic, install persistent malware, or use the device as a pivot point for further attacks on the internal network [2].

Mitigation

For Archer C7 users, the fix is included in firmware version Archer C7(JP)_V2_230602, available from the TP-Link Japan support page [1]. Users should update immediately. For Archer C5, no patch will be released as the product is end-of-life; users are advised to replace the device with a supported model. No workarounds have been published [2].