Monday, March 17, 2025
HomeCVE/vulnerabilityHackers Target TP-Link Vulnerability to Gain Full System Control

Hackers Target TP-Link Vulnerability to Gain Full System Control

Published on

SIEM as a Service

Follow Us on Google News

Hackers exploit a vulnerability in TP-Link routers, specifically the TL-WR845N model, to gain full control over the system.

This exploit allows unauthorized users to access the root shell credentials, giving them unrestricted access to manipulate and control the router.

Here is a summary of the affected product and how the vulnerability can be exploited:

Affected Product Details

Product InformationDetails
ManufacturerTP-Link
ModelTL-WR845N
Firmware Versions AffectedTL-WR845N(UN)_V4_190219, TL-WR845N(UN)_V4_200909, TL-WR845N(UN)_V4_201214
Vulnerability ExploitedWeak root shell credentials

The vulnerability allows hackers to extract the root shell credentials from the router’s firmware.

The firmware can be obtained either by physically accessing the router’s SPI Flash memory or by downloading it from TP-Link’s official website.

Once extracted, tools such as binwalk or FirmAudit can be used to analyze the firmware and extract files.

The root password is stored in MD5 hash format in the squashfs-root/etc/passwd and squashfs-root/etc/passwd.bak files.

This hashed password can be easily cracked using tools like hashcat or John the Ripper to reveal the password as “1234.” The username, “admin,” is stored in plain text.

Steps to Exploit the Vulnerability

  1. Obtain Firmware: Get the firmware either through SPI Flash memory or download from the official website.
  2. Extract Files: Use tools like binwalk to extract files from the firmware. Command: $ binwalk -e firmware.bin
  3. Access Credentials: Go to the squashfs-root/etc directory and find the passwd and passwd.bak files.
  4. Reveal Credentials: Use commands like $ cat passwd or $ cat passwd.bak to view the username and hashed password.
  5. Crack Password: Use tools like hashcat or John the Ripper to crack the MD5 hashed password, which reveals as “1234.”
  6. Validate Credentials: Use UART port communication to validate the credentials by entering the login command and providing the username and password.

This vulnerability poses significant risks as it allows malicious actors to gain full control over the router, potentially leading to unauthorized access, data theft, and even the spread of malware.

Recommendations:

  • Users are advised to update their firmware as soon as an updated version is available.
  • Implement robust security practices, such as using strong passwords and enabling WPA3 encryption.
  • Regularly monitor router activity for suspicious behavior.

This exploit highlights the importance of regularly updating router firmware and maintaining strong security protocols in networks.

Users should remain vigilant and adopt best practices to protect their devices from similar vulnerabilities.

Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free. 

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

Kentico Xperience CMS Vulnerability Enables Remote Code Execution

In recent security research, vulnerabilities in the Kentico Xperience CMS have come to light,...

Wazuh SIEM Vulnerability Enables Remote Malicious Code Execution

A critical vulnerability, identified as CVE-2025-24016, has been discovered in the Wazuh Security Information...

Espressif Systems Flaws Allow Hackers to Execute Arbitrary Code

A series of vulnerabilities has been discovered in Espressif Systems' ESP32 devices, specifically affecting...

AI Operator Agents Helping Hackers Generate Malicious Code

Symantec's Threat Hunter Team has demonstrated how AI agents like OpenAI's Operator can now...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

Kentico Xperience CMS Vulnerability Enables Remote Code Execution

In recent security research, vulnerabilities in the Kentico Xperience CMS have come to light,...

Wazuh SIEM Vulnerability Enables Remote Malicious Code Execution

A critical vulnerability, identified as CVE-2025-24016, has been discovered in the Wazuh Security Information...

Espressif Systems Flaws Allow Hackers to Execute Arbitrary Code

A series of vulnerabilities has been discovered in Espressif Systems' ESP32 devices, specifically affecting...