Login Sign Up

CVE-2022-24355

8.8 HIGH
Remote Code Execution Buffer Overflow

📋 TL;DR

This vulnerability allows attackers on the same network to execute arbitrary code as root on TP-Link TL-WR940N routers without authentication. It's a stack-based buffer overflow in file name extension parsing that enables remote code execution. Only users of specific TP-Link router models with vulnerable firmware are affected.

💻 Affected Systems

Products:
  • TP-Link TL-WR940N
Versions: 3.20.1 Build 200316 Rel.34392n (5553)
Operating Systems: Embedded router firmware
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects this specific firmware version. Authentication is not required for exploitation.

📦 What is this software?

Tl Wr940n Firmware by Tp Link

View all CVEs affecting Tl Wr940n Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of router with root access, allowing attacker to intercept all network traffic, modify DNS settings, install persistent malware, and pivot to other devices on the network.

🟠

Likely Case

Router takeover leading to man-in-the-middle attacks, credential theft, and network surveillance.

🟢

If Mitigated

No impact if router is patched or isolated from untrusted networks.

🌐 Internet-Facing: MEDIUM - Requires network adjacency but routers are often internet-facing devices.
🏢 Internal Only: HIGH - Attackers on local network can exploit without authentication.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

ZDI published advisory with technical details. No authentication required makes exploitation straightforward for network-adjacent attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check TP-Link for latest firmware updates

Vendor Advisory: https://www.tp-link.com/us/support/download/tl-wr940n/

Restart Required: Yes

Instructions:

1. Log into router admin interface. 2. Navigate to System Tools > Firmware Upgrade. 3. Download latest firmware from TP-Link website. 4. Upload and install firmware. 5. Router will reboot automatically.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate router from untrusted networks and limit access to management interface.

Disable Remote Management

all

Ensure router management interface is only accessible from LAN, not WAN.

🧯 If You Can't Patch

  • Replace router with supported model that receives security updates
  • Implement strict network segmentation and firewall rules to limit router exposure

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in admin interface under System Tools > Firmware Upgrade

Check Version:

Not applicable - check via web interface

Verify Fix Applied:

Confirm firmware version is newer than 3.20.1 Build 200316 Rel.34392n (5553)

📡 Detection & Monitoring

Log Indicators:

  • Unusual file upload attempts to router management interface
  • Multiple failed parsing attempts in router logs

Network Indicators:

  • Unusual traffic patterns to router management port (typically 80/443)
  • Buffer overflow attempts in HTTP requests

SIEM Query:

source="router_logs" AND ("buffer overflow" OR "parsing error" OR "malformed request")

📊 Metadata

CVE ID: CVE-2022-24355
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-121
Published: February 18, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-24355, you might also want to check these:

CVE-2024-39791 10.0

CVE-2024-39791 is a critical stack-based buffer overflow vulnerability in Vonets industrial WiFi bri...

Same vulnerability type (CWE-121)
CVE-2022-20699 10.0

This critical vulnerability in Cisco Small Business routers allows unauthenticated remote attackers ...

Same vulnerability type (CWE-121)
CVE-2022-20701 10.0

This CVE describes multiple critical vulnerabilities in Cisco Small Business RV series routers that ...

Same vulnerability type (CWE-121)