CVE-2022-24973 – This is a stack-based buffer overflow vulnerabi... (How to Fix)

Q: What is the severity of CVE-2022-24973?

CVE-2022-24973 has a CVSS score of 8.0 (HIGH). This is a stack-based buffer overflow vulnerability in TP-Link TL-WR940N routers that allows authenticated attackers on the same network to execute arbitrary code with root privileges. The flaw exists in the httpd service due to insufficient input validation when copying user-supplied data to a fixed buffer. Only users with TP-Link TL-WR940N routers running specific vulnerable firmware are affected.

📋 TL;DR

This is a stack-based buffer overflow vulnerability in TP-Link TL-WR940N routers that allows authenticated attackers on the same network to execute arbitrary code with root privileges. The flaw exists in the httpd service due to insufficient input validation when copying user-supplied data to a fixed buffer. Only users with TP-Link TL-WR940N routers running specific vulnerable firmware are affected.

💻 Affected Systems

Products:

TP-Link TL-WR940N

Versions: 3.20.1 Build 200316 Rel.34392n (5553)

Operating Systems: Embedded router firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects this specific firmware version. Authentication is required to exploit, meaning attackers need valid credentials for the router's web interface.

📦 What is this software?

Tl Wr940n Firmware by Tp Link

View all CVEs affecting Tl Wr940n Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the router with root-level code execution, allowing attackers to intercept all network traffic, modify DNS settings, install persistent malware, and pivot to other devices on the network.

🟠

Likely Case

Router takeover leading to man-in-the-middle attacks, credential theft from network traffic, and installation of backdoors for persistent access.

🟢

If Mitigated

Limited impact if proper network segmentation and access controls prevent adjacent attackers from reaching the router's management interface.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires authentication credentials and network adjacency. The vulnerability is well-documented with technical details available from ZDI.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check TP-Link for latest firmware updates

Vendor Advisory: https://www.tp-link.com/us/support/download/tl-wr940n/

Restart Required: Yes

Instructions:

1. Log into router web interface. 2. Navigate to System Tools > Firmware Upgrade. 3. Download latest firmware from TP-Link website. 4. Upload and install firmware. 5. Router will reboot automatically.

🔧 Temporary Workarounds

Disable remote management

all

Prevent access to router web interface from LAN/WLAN

Change default credentials

all

Use strong, unique passwords for router admin access

🧯 If You Can't Patch

Segment router management interface to restricted VLAN
Implement network access controls to limit who can reach router management port 80

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in web interface under System Tools > Firmware Upgrade

Check Version:

Not applicable - check via web interface

Verify Fix Applied:

Verify firmware version matches latest available from TP-Link website

📡 Detection & Monitoring

Log Indicators:

Multiple failed login attempts followed by successful login and unusual HTTP requests to router management interface
Unusual process execution or memory corruption events in router logs

Network Indicators:

Unusual HTTP POST requests to router port 80 with large payloads
Traffic patterns suggesting buffer overflow exploitation

SIEM Query:

source="router_logs" AND (event="authentication_success" OR event="http_request") AND (uri CONTAINS "/cgi" OR data_size>1000)

📊 Metadata

CVE ID: CVE-2022-24973

CVSS v3 Score: 8.0 (HIGH)

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-121

Published: March 28, 2023

Last Updated: November 21, 2024

🔗 References

https://www.zerodayinitiative.com/advisories/ZDI-22-406/ Third Party Advisory,VDB Entry
https://www.zerodayinitiative.com/advisories/ZDI-22-406/ Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-24973, you might also want to check these: