A hot potato: If you're rocking TP-Link's Archer C5400X tri-band router for gaming, you'll want to grab the latest firmware patch ASAP. Security researchers recently discovered a critical vulnerability that allow remote hackers to completely compromise the device.
The flaw, tracked as CVE-2024-5035, earned the highest possible severity rating of 10.0 under the Common Vulnerability Scoring System (CVSS). Vulnerabilities scoring 10.0 are extremely rare – most severe bugs max out at 9.8, so this one's about as bad as it gets.
The issue lies in a network service called "rftest" that the router exposes on TCP ports 8888, 8889, and 8890. By exploiting it, an unauthenticated attacker can inject malicious commands and gain full remote code execution privileges on the vulnerable device.
"By successfully exploiting this flaw, remote unauthenticated attackers can gain arbitrary command execution on the device with elevated privileges," notes German cybersecurity firm ONEKEY, which first discovered the flaw.
That's a nightmare scenario for gamers and anyone else using this TP-Link router model. A skilled hacker could theoretically inject malware or even compromise the router as a launch pad for further attacks on your network.
ONEKEY researchers found that while "rftest" is supposed to only allow wireless configuration commands starting with "wl" or "nvram get," those restrictions could be trivially bypassed. By simply injecting standard shell commands like "wl;id;" after meta-characters like semicolons, pipes, or ampersands, they found bad actors could execute pretty much any code they wanted on a vulnerable router.
In their technical write-up, ONEKEY speculated that TP-Link may have rushed out this "rftest" API without properly securing it, leaving a gaping remote code execution hole. Poor coding practices seem to be the culprit.
"It seems the need to provide a wireless device configuration API at TP-Link had to be answered either fast or cheap, which ended up with them exposing a supposedly limited shell over the network that clients within the router could use as a way to configure wireless devices. "With details of this 'API' abstracted away, the fact that it does indeed expose a shell remotely due to insecure coding practices got lost in the review process," ONEKEY explained.
The vulnerability impacts all Archer C5400X firmware versions up to 1.1.1.6. Fortunately, TP-Link has already issued a patched 1.1.1.7 firmware release that should close the security hole.
If you've got one of these routers at home, log into your router admin page and check for updates. Alternatively, manually download and install the 1.1.1.7 firmware from TP-Link's support site.
While gaming router vulnerabilities may not make many headlines, this is still a pretty serious issue impacting a popular device explicitly branded for Nvidia's GeForce Now cloud gaming service. The last thing any gamer needs is their router getting hijacked mid-match.