CVE-2020-35576 – This vulnerability allows authenticated users t... (How to Fix)

Q: What is the severity of CVE-2020-35576?

CVE-2020-35576 has a CVSS score of 8.8 (HIGH). This vulnerability allows authenticated users to execute arbitrary commands as root on TP-Link TL-WR841N V13 (JP) routers via the traceroute feature. Attackers can inject shell metacharacters to gain full system control. Only users with authentication credentials can exploit this vulnerability.

📋 TL;DR

This vulnerability allows authenticated users to execute arbitrary commands as root on TP-Link TL-WR841N V13 (JP) routers via the traceroute feature. Attackers can inject shell metacharacters to gain full system control. Only users with authentication credentials can exploit this vulnerability.

💻 Affected Systems

Products:

TP-Link TL-WR841N V13 (JP)

Versions: Firmware versions prior to 201216

Operating Systems: Embedded Linux on TP-Link routers

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Japanese version (JP) of TL-WR841N V13. Requires authenticated access to router web interface.

📦 What is this software?

Tl Wr841n Firmware by Tp Link

View all CVEs affecting Tl Wr841n Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete router compromise allowing attacker to intercept all network traffic, install persistent backdoors, pivot to internal networks, and use router as attack platform.

🟠

Likely Case

Local network attacker with router credentials gains root access, modifies router settings, intercepts traffic, and potentially compromises connected devices.

🟢

If Mitigated

With proper authentication controls and network segmentation, impact limited to router compromise without lateral movement to other systems.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit requires authenticated access. Command injection via traceroute feature is straightforward for attackers with credentials.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firmware version 201216 or later

Vendor Advisory: https://www.tp-link.com/jp/support/download/tl-wr841n/v13/#Firmware

Restart Required: Yes

Instructions:

1. Download latest firmware from TP-Link Japan support site. 2. Log into router web interface. 3. Navigate to System Tools > Firmware Upgrade. 4. Upload firmware file. 5. Wait for upgrade to complete and router to reboot.

🔧 Temporary Workarounds

Disable traceroute feature

all

Remove or disable traceroute functionality in router web interface if not needed

Restrict admin access

all

Limit router admin interface access to specific IP addresses only

🧯 If You Can't Patch

Change all router admin passwords to strong, unique credentials
Isolate router on separate VLAN and restrict access to management interface

🔍 How to Verify

Check if Vulnerable:

Check firmware version in router web interface under System Tools > Firmware Upgrade. If version is earlier than 201216, device is vulnerable.

Check Version:

Login to router web interface and navigate to System Tools > Firmware Upgrade to view current version

Verify Fix Applied:

After firmware update, verify version shows 201216 or later in System Tools > Firmware Upgrade page.

📡 Detection & Monitoring

Log Indicators:

Unusual traceroute commands in router logs
Multiple failed login attempts followed by traceroute activity
Unexpected system command execution

Network Indicators:

Unusual outbound connections from router
Traffic redirection or DNS changes
Router connecting to unexpected external IPs

SIEM Query:

source="router-logs" AND (traceroute OR "system command" OR shell) AND NOT user="legitimate-admin"

📊 Metadata

CVE ID: CVE-2020-35576

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

Published: January 26, 2021

Last Updated: November 21, 2024

🔗 References

https://jvn.jp/en/vu/JVNVU92444096/ Patch,Third Party Advisory
https://www.tp-link.com/jp/support/download/tl-wr841n/v13/#Firmware Patch,Vendor Advisory
https://www.tp-link.com/us/security Vendor Advisory
https://jvn.jp/en/vu/JVNVU92444096/ Patch,Third Party Advisory
https://www.tp-link.com/jp/support/download/tl-wr841n/v13/#Firmware Patch,Vendor Advisory
https://www.tp-link.com/us/security Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-35576, you might also want to check these: