If exploited, this remote code execution (RCE) vulnerability can allow arbitrary command execution via a malformed user agent field in HTTP headers. This means that a remote attacker could get complete control over the device. The vulnerability can be exploited by a remote attacker without requiring login / authentication to the Wi-Fi extender. Moreover, privilege escalation would not be needed here since all processes on these devices already run with root-level access.
Recommendations
The TP-Link security team confirmed that there are 4 products affected by this issue:
- RE365
- RE650
- RE350(EOL)
- RE500(EOL)
No other models have been confirmed as affected.
TP-LINK has fixed the flaw and provided firmware updates for each of the vulnerable devices. Users are advised to implement them.
References
- Critical RCE Vulnerability in TP-Link Wi-Fi Extenders Can Grant Attackers Remote Control
- TP-Link Download Center
CVE-2019-7406