CVE-2021-3125
📋 TL;DR
This CVE describes an IPv6 routing loop vulnerability in multiple TP-Link router models. When IPv6 is enabled and specific routing conditions occur, affected devices can generate excessive network traffic between themselves and upstream ISP routers, potentially causing denial of service. This affects users of specific TP-Link router models with vulnerable firmware versions.
💻 Affected Systems
- TP-Link TL-XDR3230
- TP-Link TL-XDR1850
- TP-Link TL-XDR1860
- TP-Link TL-XDR3250
- TP-Link TL-XDR6060 Turbo
- TP-Link TL-XDR5430
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Sustained network denial of service affecting both the vulnerable router and upstream ISP infrastructure, potentially disrupting internet connectivity for all connected devices and causing collateral damage to ISP networks.
Likely Case
Intermittent network performance degradation, increased latency, and potential temporary loss of internet connectivity for devices behind the vulnerable router.
If Mitigated
Minimal impact if IPv6 is disabled or proper firmware updates are applied before exploitation occurs.
🎯 Exploit Status
Exploitation requires specific network conditions and IPv6 configuration, but no authentication is needed once those conditions are met.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: TL-XDR3230 >= 1.0.12, TL-XDR1850 >= 1.0.9, TL-XDR1860 >= 1.0.14, TL-XDR3250 >= 1.0.2, TL-XDR6060 Turbo >= 1.1.8, TL-XDR5430 >= 1.0.11
Vendor Advisory: https://service.tp-link.com.cn/detail_download_8719.html
Restart Required: Yes
Instructions:
1. Log into router admin interface. 2. Navigate to firmware update section. 3. Download appropriate firmware version from TP-Link support site. 4. Upload and apply firmware update. 5. Reboot router after update completes.
🔧 Temporary Workarounds
Disable IPv6
allTemporarily disable IPv6 functionality on the router to prevent exploitation until patching can be completed.
🧯 If You Can't Patch
- Disable IPv6 on the router configuration
- Replace vulnerable router with updated model or different vendor
🔍 How to Verify
Check if Vulnerable:
Check router firmware version in admin interface and compare against patched versions listed in affected_systems.versionsCheck Version:
Log into router web interface and navigate to System Tools > Firmware Upgrade or similar sectionVerify Fix Applied:
Confirm firmware version shows patched version number in router admin interface after update📡 Detection & Monitoring
Log Indicators:
- Unusual high volume of IPv6 traffic in router logs
- Routing table anomalies in system logs
- ISP connection stability issues logged
Network Indicators:
- Abnormally high network traffic between router and ISP gateway
- IPv6 routing loops detected via network monitoring
- Degraded network performance metrics
SIEM Query:
source="router_logs" AND ("IPv6 traffic spike" OR "routing loop" OR "excessive traffic")🔗 References
- https://service.tp-link.com.cn/detail_download_8719.html
- https://service.tp-link.com.cn/detail_download_8720.html
- https://service.tp-link.com.cn/detail_download_8722.html
- https://service.tp-link.com.cn/detail_download_8723.html
- https://service.tp-link.com.cn/detail_download_8724.html
- https://service.tp-link.com.cn/detail_download_8725.html
- https://service.tp-link.com.cn/detail_download_8719.html
- https://service.tp-link.com.cn/detail_download_8720.html
- https://service.tp-link.com.cn/detail_download_8722.html
- https://service.tp-link.com.cn/detail_download_8723.html
- https://service.tp-link.com.cn/detail_download_8724.html
- https://service.tp-link.com.cn/detail_download_8725.html
