CVE-2023-1389

TP-Link Archer AX-21 Command Injection Vulnerability

Severity Score

8.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

Yes

*KEV

Decision

*SSVC

Descriptions

TP-Link Archer AX21 (AX1800) firmware versions before 1.1.4 Build 20230219 contained a command injection vulnerability in the country form of the /cgi-bin/luci;stok=/locale endpoint on the web management interface. Specifically, the country parameter of the write operation was not sanitized before being used in a call to popen(), allowing an unauthenticated attacker to inject commands, which would be run as root, with a simple POST request.

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of TP-Link Archer AX21 routers. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the merge_country_config function. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute arbitrary code in the context of root.

TP-Link Archer AX21 suffers from an unauthenticated remote command injection vulnerability.

TP-Link Archer AX-21 contains a command injection vulnerability that allows for remote code execution.

*Credits: rskvp93, Q5Ca, and hoangnx99 from VcsLab of Viettel Cyber Security and Pham Nguyen Ngoc Bien & Dang Minh Tri from Qrious Secure

CVSS Scores

NISTv3.1 8.8

Attack Vector

Adjacent

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2023-03-14 CVE Reserved
2023-03-15 CVE Published
2023-05-01 Exploited in Wild
2023-05-22 KEV Due Date
2023-08-09 First Exploit
2024-08-02 CVE Updated
2024-10-20 EPSS Updated

CWE

CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')

CAPEC

References (5)

URL	Tag	Source

URL	Date	SRC
https://www.exploit-db.com/exploits/51677	2023-08-10
https://github.com/Terminal1337/CVE-2023-1389	2023-09-09
https://github.com/Voyag3r-Security/CVE-2023-1389	2023-08-09
http://packetstormsecurity.com/files/174131/TP-Link-Archer-AX21-Command-Injection.html	2024-08-02
https://www.tenable.com/security/research/tra-2023-11	2024-08-02

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Tp-link Search vendor "Tp-link"	Archer Ax21 Firmware Search vendor "Tp-link" for product "Archer Ax21 Firmware"	< 1.1.4 Search vendor "Tp-link" for product "Archer Ax21 Firmware" and version " < 1.1.4"	-	Affected	in	Tp-link Search vendor "Tp-link"	Archer Ax21 Search vendor "Tp-link" for product "Archer Ax21"	-	-	Safe