CVE-2020-28347 – CVE-2020-28347 is a command injection vulnerabi... (How to Fix)

Q: What is the severity of CVE-2020-28347?

CVE-2020-28347 has a CVSS score of 9.8 (CRITICAL). CVE-2020-28347 is a command injection vulnerability in the tdpServer component of TP-Link Archer A7 AC1750 routers that allows remote attackers to execute arbitrary code via the slave_mac parameter. This vulnerability affects users of TP-Link Archer A7 AC1750 routers with firmware versions before 201029. The issue exists due to incomplete sanitization of shell commands after a previous fix attempt for CVE-2020-10882.

📋 TL;DR

CVE-2020-28347 is a command injection vulnerability in the tdpServer component of TP-Link Archer A7 AC1750 routers that allows remote attackers to execute arbitrary code via the slave_mac parameter. This vulnerability affects users of TP-Link Archer A7 AC1750 routers with firmware versions before 201029. The issue exists due to incomplete sanitization of shell commands after a previous fix attempt for CVE-2020-10882.

💻 Affected Systems

Products:

TP-Link Archer A7 AC1750

Versions: All firmware versions before 201029

Operating Systems: Embedded Linux on TP-Link routers

Default Config Vulnerable: ⚠️ Yes

Notes: tdpServer service runs by default on affected devices. The vulnerability is in the TDDP (TP-Link Device Debug Protocol) implementation.

📦 What is this software?

Ac1750 Firmware by Tp Link

View all CVEs affecting Ac1750 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote attacker gains full root access to the router, enabling them to intercept all network traffic, install persistent malware, pivot to internal network devices, and potentially brick the device.

🟠

Likely Case

Remote code execution leading to router compromise, network traffic interception, DNS hijacking, and credential theft from connected devices.

🟢

If Mitigated

No impact if router is patched or network segmentation prevents access to vulnerable service.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Multiple public PoCs and Metasploit modules exist. Exploitation requires network access to the router's TDDP service (typically UDP port 1040).

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firmware version 201029 or later

Vendor Advisory: https://www.tp-link.com/us/support/download/archer-a7/#Firmware

Restart Required: Yes

Instructions:

1. Download latest firmware from TP-Link support site. 2. Log into router admin interface. 3. Navigate to System Tools > Firmware Upgrade. 4. Upload firmware file. 5. Wait for upgrade to complete and router to reboot.

🔧 Temporary Workarounds

Block TDDP Port

linux

Block UDP port 1040 at network perimeter to prevent external exploitation

iptables -A INPUT -p udp --dport 1040 -j DROP

Disable Remote Management

all

Disable remote management features in router settings

🧯 If You Can't Patch

Replace vulnerable router with updated model or different vendor
Implement strict network segmentation to isolate router from critical systems

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in admin interface. If version is earlier than 201029, device is vulnerable.

Check Version:

Check via router web interface at 192.168.0.1 or 192.168.1.1

Verify Fix Applied:

Verify firmware version shows 201029 or later in router admin interface after upgrade.

📡 Detection & Monitoring

Log Indicators:

Unusual TDDP protocol traffic
Unexpected shell command execution in router logs
Failed firmware upgrade attempts

Network Indicators:

UDP traffic to port 1040 with shell metacharacters in payload
Outbound connections from router to suspicious IPs

SIEM Query:

source="router" AND (port=1040 OR protocol="TDDP" OR "slave_mac" IN payload)

📊 Metadata

CVE ID: CVE-2020-28347

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

Published: November 8, 2020

Last Updated: November 21, 2024

🔗 References

https://github.com/pedrib/PoC/blob/master/advisories/Pwn2Own/Tokyo_2019/lao_bomb/lao_bomb.md Exploit,Third Party Advisory
https://github.com/pedrib/PoC/blob/master/advisories/Pwn2Own/Tokyo_2020/minesweeper.md Exploit,Third Party Advisory
https://github.com/rapid7/metasploit-framework/pull/14365 Exploit,Patch,Third Party Advisory
https://github.com/rdomanski/Exploits_and_Advisories/blob/master/advisories/Pwn2Own/Tokyo2019/lao_bomb.md Exploit,Third Party Advisory
https://github.com/rdomanski/Exploits_and_Advisories/blob/master/advisories/Pwn2Own/Tokyo2020/minesweeper.md Exploit,Third Party Advisory
https://github.com/pedrib/PoC/blob/master/advisories/Pwn2Own/Tokyo_2019/lao_bomb/lao_bomb.md Exploit,Third Party Advisory
https://github.com/pedrib/PoC/blob/master/advisories/Pwn2Own/Tokyo_2020/minesweeper.md Exploit,Third Party Advisory
https://github.com/rapid7/metasploit-framework/pull/14365 Exploit,Patch,Third Party Advisory
https://github.com/rdomanski/Exploits_and_Advisories/blob/master/advisories/Pwn2Own/Tokyo2019/lao_bomb.md Exploit,Third Party Advisory
https://github.com/rdomanski/Exploits_and_Advisories/blob/master/advisories/Pwn2Own/Tokyo2020/minesweeper.md Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-28347, you might also want to check these: