Security VulnerabilitiesNews

TP-Link Archer AX21 merge_country_config Command Injection Remote Code Execution Vulnerability [CVE-2023-1389]

Luke Simmonds 1818 Views 0 Comments 0 min read

CVE number = CVE-2023-1389

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of TP-Link Archer AX21 routers.

Authentication is not required to exploit this vulnerability.

The specific flaw exists within the merge_country_config function.

The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call.

An attacker can leverage this vulnerability to execute arbitrary code in the context of root.

TP-Link has issued an update to correct this vulnerability.

Affected products = Archer AX21

More details can be found at:
https://www.tp-link.com/us/support/download/archer-ax21/v3/#Firmware

Luke Simmonds

Blogger at www.systemtek.co.uk

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.