// For flags

CVE-2023-49133

 

Severity Score

8.1
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Track*
*SSVC
Descriptions

A command execution vulnerability exists in the tddpd enable_test_mode functionality of Tp-Link AC1350 Wireless MU-MIMO Gigabit Access Point (EAP225 V3) v5.1.0 Build 20220926 and Tp-Link N300 Wireless Access Point (EAP115 V4) v5.0.4 Build 20220216. A specially crafted series of network requests can lead to arbitrary command execution. An attacker can send a sequence of unauthenticated packets to trigger this vulnerability.This vulnerability impacts `uclited` on the EAP225(V3) 5.1.0 Build 20220926 of the AC1350 Wireless MU-MIMO Gigabit Access Point.

Existe una vulnerabilidad de ejecución de comando en la funcionalidad tddpd enable_test_mode del punto de acceso Gigabit MU-MIMO inalámbrico Tp-Link AC1350 (EAP225 V3) v5.1.0 compilación 20220926 y el punto de acceso inalámbrico Tp-Link N300 (EAP115 V4) v5.0.4 compilación 20220216. Una serie de solicitudes de red especialmente manipuladas pueden conducir a la ejecución de comandos arbitrarios. Un atacante puede enviar una secuencia de paquetes no autenticados para desencadenar esta vulnerabilidad. Esta vulnerabilidad afecta a "uclited" en el EAP225(V3) 5.1.0 Build 20220926 del punto de acceso Gigabit MU-MIMO inalámbrico AC1350.

*Credits: Discovered by the Vulnerability Discovery and Research team of Cisco Talos.
CVSS Scores
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
High
Authentication
None
Confidentiality
Complete
Integrity
Complete
Availability
Complete
* Common Vulnerability Scoring System
SSVC
  • Decision:Track*
Exploitation
None
Automatable
No
Tech. Impact
Total
* Organization's Worst-case Scenario
Timeline
  • 2023-11-22 CVE Reserved
  • 2024-04-09 CVE Published
  • 2024-08-02 CVE Updated
  • 2024-12-17 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-829: Inclusion of Functionality from Untrusted Control Sphere
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Tp-link
Search vendor "Tp-link"
 Ac1350 Firmware
Search vendor "Tp-link" for product "Ac1350 Firmware"
*-
Affected
Tp-link
Search vendor "Tp-link"
 N300 Firmware
Search vendor "Tp-link" for product "N300 Firmware"
*-
Affected