Login Sign Up

CVE-2023-31710

9.8 CRITICAL
Remote Code Execution Buffer Overflow

📋 TL;DR

This CVE describes a buffer overflow vulnerability in TP-Link Archer AX21 routers that could allow remote code execution. Attackers can exploit this to take control of affected devices. Only TP-Link Archer AX21(US) V3 models with specific firmware versions are affected.

💻 Affected Systems

Products:
  • TP-Link Archer AX21(US)
Versions: V3_1.1.4 Build 20230219 and V3.6_1.1.4 Build 20230219
Operating Systems: Embedded router firmware
Default Config Vulnerable: ⚠️ Yes
Notes: Only US region models with V3 hardware and specific firmware builds. Other models/regions may be unaffected.

📦 What is this software?

Archer Ax21 Firmware by Tp Link

View all CVEs affecting Archer Ax21 Firmware →

Archer Ax21 Firmware by Tp Link

View all CVEs affecting Archer Ax21 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote attacker gains full control of router, can intercept/modify all network traffic, install persistent malware, pivot to internal network, and brick the device.

🟠

Likely Case

Remote code execution leading to router compromise, network traffic interception, DNS hijacking, and credential theft from connected devices.

🟢

If Mitigated

With proper network segmentation and firewall rules, impact limited to isolated router compromise without lateral movement to internal systems.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Proof-of-concept available in GitHub repository. Exploit requires network access to router management interface.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check TP-Link support for latest firmware

Vendor Advisory: https://www.tp-link.com/us/support/download/archer-ax21/

Restart Required: Yes

Instructions:

1. Log into router admin interface. 2. Navigate to System Tools > Firmware Upgrade. 3. Download latest firmware from TP-Link website. 4. Upload and install firmware. 5. Router will reboot automatically.

🔧 Temporary Workarounds

Disable Remote Management

all

Prevents external exploitation by disabling remote access to router admin interface

Network Segmentation

all

Isolate router management interface to separate VLAN with strict firewall rules

🧯 If You Can't Patch

  • Replace affected router with patched model or different vendor
  • Implement strict network ACLs to block all external access to router management interface

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in admin interface under System Tools > Firmware Upgrade

Check Version:

Login to router web interface and check firmware version

Verify Fix Applied:

Verify firmware version is newer than affected builds and test for buffer overflow using available PoC

📡 Detection & Monitoring

Log Indicators:

  • Unusual authentication attempts to router
  • Firmware modification logs
  • Unexpected reboots

Network Indicators:

  • Unusual outbound connections from router
  • DNS queries to suspicious domains
  • Port scanning from router IP

SIEM Query:

source="router_logs" AND (event_type="authentication_failure" OR event_type="firmware_change")

📊 Metadata

CVE ID: CVE-2023-31710
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-787
Published: August 1, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-31710, you might also want to check these:

CVE-2022-43604 10.0

CVE-2022-43604 is a critical out-of-bounds write vulnerability in the OpENer EtherNet/IP stack that ...

Same vulnerability type (CWE-787)
CVE-2025-24201 10.0

This critical vulnerability allows malicious web content to break out of the Web Content sandbox via...

Same vulnerability type (CWE-787)
CVE-2020-14871 10.0

This is a critical buffer overflow vulnerability (CWE-787) in Oracle Solaris's Pluggable Authenticat...

Same vulnerability type (CWE-787)