Security researchers recently discovered a serious vulnerability in the aforementioned TP-Link router that allows remote hackers to completely compromise the device. The vulnerability, identified as CVE-2024-5035, has the highest possible severity rating (10) on the Common Vulnerability Scoring System (CVSS). Vulnerabilities with a score of 10 are extremely rare, with most critical bugs scoring a maximum of 9.8.

The issue with TP-Link routers lies in a network service called "rftest" that the router exposes on TCP ports 8888, 8889, and 8890. By exploiting this service, an unauthenticated attacker can inject malicious commands and gain full remote code execution privileges on the vulnerable device.

"By successfully exploiting this vulnerability, remote unauthenticated attackers could execute arbitrary commands on the device with elevated privileges," said the company that first discovered the vulnerability, ONEKEY (Germany). That's a nightmare scenario for gamers and anyone else using the aforementioned TP-Link router. In theory, a skilled hacker could inject malware or even compromise the router to launch further attacks on the victim's network.

According to ONEKEY researchers, although “rftest” only allows wireless configuration commands that start with “wl” or “nvram get,” they can be easily bypassed. By simply inserting standard shell commands like “wl;id;” (or non-semicolon characters like dashes or ampersands), they found that bad actors can execute virtually any code they want on the compromised router.

ONEKEY speculates that TP-Link may have rushed to release this "rftest" API without properly securing it, which is what caused the remote code execution vulnerability. This vulnerability affects all Archer C5400X firmware versions up to 1.1.1.6. TP-Link has now released firmware 1.1.1.7 to patch this security flaw.

So, if you have one of these routers at home, log in to your router's admin page and check for updates. Alternatively, download and manually install firmware 1.1.1.7 from TP-Link's support page.