CVE-2023-1389
HIGH
8,8
Source: [email protected]
Attack Vector: adjacent_network
Attack Complexity: low
Privileges Required: none
User Interaction: none
Scope: unchanged
Confidentiality: high
Integrity: high
Availability: high
Description
AI Translation Available
TP-Link Archer AX21 (AX1800) firmware versions before 1.1.4 Build 20230219 contained a command injection vulnerability in the country form of the /cgi-bin/luci;stok=/locale endpoint on the web management interface. Specifically, the country parameter of the write operation was not sanitized before being used in a call to popen(), allowing an unauthenticated attacker to inject commands, which would be run as root, with a simple POST request.
EPSS (Exploit Prediction Scoring System)
Trend Analysis
EPSS (Exploit Prediction Scoring System)
Prevede la probabilità di sfruttamento basata su intelligence sulle minacce e sulle caratteristiche della vulnerabilità.
EPSS Score
0,9354
Percentile
1,0th
Updated
EPSS Score Trend (Last 90 Days)
77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
DraftCommon Consequences
Security Scopes Affected:
Integrity
Confidentiality
Availability
Potential Impacts:
Execute Unauthorized Code Or Commands
Applicable Platforms
Technologies:
AI/ML
Exploit
TP-Link Archer AX21 - Unauthenticated Command Injection
TP-Link Archer AX21 - Unauthenticated Command Injection
View Exploit Code →
Operating System
Archer Ax21 Firmware by Tp-Link
Version Range Affected
To
1.1.4
(exclusive)
CPE Identifier
View Detailed Analysis
cpe:2.3:o:tp-link:archer_ax21_firmware:*:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023…
http://packetstormsecurity.com/files/174131/TP-Link-Archer-AX21-Command-Injecti…
https://www.tenable.com/security/research/tra-2023-11
http://packetstormsecurity.com/files/174131/TP-Link-Archer-AX21-Command-Injecti…
https://www.tenable.com/security/research/tra-2023-11