Login Sign Up

CVE-2021-41451

7.5 HIGH

📋 TL;DR

A cache poisoning vulnerability in TP-Link Archer AX10 v1 routers allows remote attackers to manipulate HTTP responses by sending specially crafted requests. This affects users with unpatched firmware who have the web interface exposed. Attackers can poison caches to redirect users to malicious sites or serve harmful content.

💻 Affected Systems

Products:
  • TP-Link Archer AX10 v1
Versions: All versions before V1_211117
Operating Systems: Router firmware
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects the web interface component. Requires HTTP/1.0 or HTTP/1.1 protocol usage.

📦 What is this software?

Archer Ax10 Firmware by Tp Link

View all CVEs affecting Archer Ax10 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could redirect all router web interface traffic to malicious sites, potentially stealing credentials, installing malware, or performing man-in-the-middle attacks on router administration.

🟠

Likely Case

Cache poisoning leading to users being redirected to phishing sites or served malicious content when accessing the router's web interface.

🟢

If Mitigated

Limited impact with proper network segmentation and firewall rules preventing external access to router web interface.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires crafting specific HTTP requests but no authentication is needed. Cache poisoning attacks require additional conditions to be effective.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: V1_211117 or later

Vendor Advisory: https://www.tp-link.com/us/support/download/archer-ax10/v1/#Firmware

Restart Required: Yes

Instructions:

1. Download firmware V1_211117 or later from TP-Link support site. 2. Log into router web interface. 3. Navigate to System Tools > Firmware Upgrade. 4. Upload the firmware file. 5. Wait for upgrade to complete and router to reboot.

🔧 Temporary Workarounds

Disable Remote Management

all

Prevent external access to router web interface

Restrict Web Interface Access

all

Use firewall rules to limit access to router administration

🧯 If You Can't Patch

  • Isolate router management interface to trusted internal network only
  • Implement network segmentation to limit potential attack surface

🔍 How to Verify

Check if Vulnerable:

Check firmware version in router web interface under System Tools > Firmware Upgrade. If version is earlier than V1_211117, device is vulnerable.

Check Version:

Check via web interface or use nmap/curl to query router version

Verify Fix Applied:

Confirm firmware version shows V1_211117 or later after upgrade.

📡 Detection & Monitoring

Log Indicators:

  • Unusual HTTP/0.9 response patterns
  • Multiple malformed HTTP requests to router web interface

Network Indicators:

  • HTTP requests with crafted headers targeting router IP
  • Unexpected HTTP/0.9 responses from router

SIEM Query:

source_ip=router_ip AND (http_version="0.9" OR http_status_code=0)

📊 Metadata

CVE ID: CVE-2021-41451
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-444
Published: December 17, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-41451, you might also want to check these:

CVE-2022-22536 10.0

CVE-2022-22536 is a critical HTTP request smuggling vulnerability in multiple SAP components that al...

Same vulnerability type (CWE-444)
CVE-2025-55315 9.9

CVE-2025-55315 is an HTTP request smuggling vulnerability in ASP.NET Core that allows an authenticat...

Same vulnerability type (CWE-444)
CVE-2023-29141 9.8

This vulnerability in MediaWiki allows attackers to trigger automatic IP blocking by manipulating th...

Same vulnerability type (CWE-444)