If exploited, this remote code execution (RCE) vulnerability can allow arbitrary command execution via a malformed user agent field in HTTP headers. This means that a remote attacker could get complete control over the device. The vulnerability can be exploited by a remote attacker without requiring login / authentication to the Wi-Fi extender. Moreover, privilege escalation would not be needed here since all processes on these devices already run with root-level access.

Recommendations

The TP-Link security team confirmed that there are 4 products affected by this issue:

• RE365
• RE650
• RE350(EOL)
• RE500(EOL)

No other models have been confirmed as affected.

TP-LINK has fixed the flaw and provided firmware updates for each of the vulnerable devices. Users are advised to implement them.

References

• Critical RCE Vulnerability in TP-Link Wi-Fi Extenders Can Grant Attackers Remote Control
• TP-Link Download Center

CVE-2019-7406