CVE-2020-35575

Q: What is the severity of CVE-2020-35575?

CVE-2020-35575 has a CVSS score of 9.8 (CRITICAL). This CVE describes a password disclosure vulnerability in TP-Link router web interfaces that allows remote attackers to obtain administrative credentials. Successful exploitation grants full administrative access to the web panel, affecting numerous TP-Link router models. The vulnerability is remotely exploitable without authentication.

9.8 CRITICAL

Authentication Bypass

📋 TL;DR

This CVE describes a password disclosure vulnerability in TP-Link router web interfaces that allows remote attackers to obtain administrative credentials. Successful exploitation grants full administrative access to the web panel, affecting numerous TP-Link router models. The vulnerability is remotely exploitable without authentication.

💻 Affected Systems

Products:

TP-Link WA901ND
Archer C5
Archer C7
MR3420
MR6400
WA701ND
WA801ND
WDR3500
WDR3600
WE843N
WR1043ND
WR1045ND
WR740N
WR741ND
WR749N
WR802N
WR840N
WR841HP
WR841N
WR842N
WR842ND
WR845N
WR940N
WR941HP
WR945N
WR949N
WRD4300

Versions: WA901ND: before 3.16.9(201211) beta; Other models: specific vulnerable versions not specified but all listed models affected

Operating Systems: Embedded router firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Affects web interface on these TP-Link router models; vulnerability exists in default configuration.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attacker gains full administrative control of router, can reconfigure network settings, intercept traffic, install malware, or use device as pivot point into internal network.

🟠

Likely Case

Attacker obtains administrative credentials and gains control of router web interface, potentially changing DNS settings, firewall rules, or network configuration.

🟢

If Mitigated

With proper network segmentation and access controls, impact limited to isolated network segment; attacker cannot pivot to critical systems.

🌐 Internet-Facing: HIGH - Vulnerability is remotely exploitable without authentication on internet-facing devices.

🏢 Internal Only: HIGH - Even internally, vulnerability allows unauthorized administrative access to network infrastructure.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit details and proof-of-concept code publicly available; simple HTTP request can trigger password disclosure.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: WA901ND: 3.16.9(201211) beta or later; Other models: check TP-Link security advisory for specific patched versions

Vendor Advisory: https://www.tp-link.com/us/security

Restart Required: Yes

Instructions:

1. Visit TP-Link support site for your specific model. 2. Download latest firmware version. 3. Log into router web interface. 4. Navigate to System Tools > Firmware Upgrade. 5. Upload and install new firmware. 6. Router will reboot automatically.

🔧 Temporary Workarounds

Disable Remote Management

all

Prevent external access to router web interface

Log into router > Security > Remote Management > Disable

Change Default Admin Password

all

Use strong unique password even if vulnerable

Log into router > System Tools > Password > Set new strong password

🧯 If You Can't Patch

Isolate affected routers in separate VLAN with strict firewall rules
Implement network monitoring for unauthorized access attempts to router admin interface

🔍 How to Verify

Check if Vulnerable:

Check router firmware version against TP-Link security advisory; test with known exploit if authorized

Check Version:

Log into router web interface > Status > Firmware Version or System Tools > Firmware Upgrade

Verify Fix Applied:

Verify firmware version is patched; attempt exploitation (with authorization) to confirm failure

📡 Detection & Monitoring

Log Indicators:

Unusual admin login attempts
Firmware modification logs
Configuration change logs without authorized user

Network Indicators:

HTTP requests to router admin interface from unexpected sources
Traffic patterns suggesting router compromise

SIEM Query:

source_ip=external AND dest_ip=router_ip AND (uri_contains="admin" OR uri_contains="login" OR uri_contains="password")

📊 Metadata

CVE ID: CVE-2020-35575

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Published: December 26, 2020

Last Updated: November 21, 2024

🔗 References

http://packetstormsecurity.com/files/163274/TP-Link-TL-WR841N-Command-Injection.html Exploit,Third Party Advisory,VDB Entry
https://pastebin.com/F8AuUdck Third Party Advisory
https://static.tp-link.com/2020/202012/20201214/wa901ndv5_eu_3_16_9_up_boot%28201211%29.zip
https://www.tp-link.com/us/security Vendor Advisory
http://packetstormsecurity.com/files/163274/TP-Link-TL-WR841N-Command-Injection.html Exploit,Third Party Advisory,VDB Entry
https://pastebin.com/F8AuUdck Third Party Advisory
https://static.tp-link.com/2020/202012/20201214/wa901ndv5_eu_3_16_9_up_boot%28201211%29.zip
https://www.tp-link.com/us/security Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Archer C5 Firmware by Tp Link

Archer C7 Firmware by Tp Link

Mr3420 Firmware by Tp Link

Mr6400 Firmware by Tp Link

Wa701nd Firmware by Tp Link

Wa801nd Firmware by Tp Link

Wa901nd Firmware by Tp Link

Wdr3500 Firmware by Tp Link

Wdr3600 Firmware by Tp Link

We843n Firmware by Tp Link

Wr1043nd Firmware by Tp Link

Wr1045nd Firmware by Tp Link

Wr740n Firmware by Tp Link

Wr741nd Firmware by Tp Link

Wr749n Firmware by Tp Link

Wr802n Firmware by Tp Link

Wr840n Firmware by Tp Link

Wr841hp Firmware by Tp Link

Wr841n Firmware by Tp Link

Wr842n Firmware by Tp Link

Wr842nd Firmware by Tp Link

Wr845n Firmware by Tp Link

Wr940n Firmware by Tp Link

Wr941hp Firmware by Tp Link

Wr945n Firmware by Tp Link

Wr949n Firmware by Tp Link

Wrd4300 Firmware by Tp Link