TP-Link Router Web Interface XSS Vulnerability – PoC Exploit Released

A recently discovered Cross-site Scripting (XSS) vulnerability, CVE-2024-57514, affecting the TP-Link Archer A20 v3 Router has raised security concerns among users.

The flaw CVE-2024-57514, identified in firmware version 1.0.6 Build 20231011 rel.85717(5553), allows attackers to execute arbitrary JavaScript code through the router’s web interface, potentially leading to malicious exploitation.

Discovery of the Vulnerability

The vulnerability stems from improper input validation of directory listing paths in the router’s web interface.

By crafting a maliciously designed URL, an attacker can trigger the execution of embedded JavaScript code in the browser of any user who visits the page.

This enables the injection of malicious scripts, which could be leveraged for phishing attacks, session hijacking, or other malicious activities.

The issue lies in the router’s handling of directory listings, which fails to sanitize user input. For example, a payload like the one below demonstrates how JavaScript can be executed:

http://192.168.0.1/<style onload=alert`rvz`;>../..%2f

When this URL is accessed, it triggers an alert box as a demonstration but could be extended to execute more harmful scripts depending on the attacker’s intentions.

Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar

Analysis and Proof of Concept (PoC)

The vulnerability allows JavaScript execution on the / path and in sub-directories. However, it does not expose cookies scoped to the /cgi-bin/luci path due to the cookie’s path attribute, which restricts access to that specific directory.

While this limitation prevents direct cookie theft, attackers could still exploit the XSS vulnerability to perform other malicious actions, including phishing or browser-based exploitation.

A video proof-of-concept (PoC) showcasing this vulnerability has been shared by security researchers, highlighting its potential impact on unprotected users.

According to the Zyenra report, TP-Link has confirmed the vulnerability but stated that the Archer A20 v3 router has reached its End of Life (EOL) and will not receive any further updates or patches.

Citing the limited scope and severity as evaluated by their security teams, TP-Link has decided against addressing the issue in this model.

The company reassured users that they are actively reviewing other models to ensure their security, advising customers to update to newer, supported devices for continued protection.

While the vulnerability’s direct impact is mitigated by certain restrictions, users of the TP-Link Archer A20 v3 router are advised to take caution.

Upgrading to a supported router model is highly recommended, as discontinued devices no longer receive critical security updates, leaving them exposed to potential threats.

Cybersecurity professionals also caution users to avoid visiting untrusted links or URLs to minimize exposure to such vulnerabilities.

Collect Threat Intelligence with TI Lookup to improve your company’s security - Get 50 Free Request