Login Sign Up

CVE-2023-43138

8.8 HIGH
Remote Code Execution

📋 TL;DR

This CVE describes a command injection vulnerability in TPLINK TL-ER5120G routers where authenticated attackers can execute arbitrary commands by injecting malicious payloads into NAPT rule names. This affects organizations using these specific router models with vulnerable firmware versions, potentially allowing attackers to gain full control of affected devices.

💻 Affected Systems

Products:
  • TPLINK TL-ER5120G
Versions: 4.0 2.0.0 Build 210817 Rel.80868n
Operating Systems: Embedded router firmware
Default Config Vulnerable: ⚠️ Yes
Notes: Requires attacker to have authenticated access to the router's web interface to add NAPT rules.

📦 What is this software?

Tl Er5120g Firmware by Tp Link

View all CVEs affecting Tl Er5120g Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the router allowing attackers to intercept network traffic, pivot to internal networks, install persistent backdoors, or use the device as part of a botnet.

🟠

Likely Case

Attackers with network access can gain administrative control of the router, modify network configurations, and potentially access connected systems.

🟢

If Mitigated

With proper network segmentation and access controls, impact is limited to the router itself without lateral movement to critical systems.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authentication but is straightforward once access is obtained. Public proof-of-concept demonstrates the injection technique.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: No

Instructions:

Check TPLINK website for firmware updates. If available, download latest firmware, log into router admin interface, navigate to System Tools > Firmware Upgrade, upload new firmware file, and apply.

🔧 Temporary Workarounds

Restrict Admin Access

all

Limit administrative access to the router's web interface to trusted IP addresses only

Disable Remote Management

all

Turn off remote administration features to prevent external access

🧯 If You Can't Patch

  • Segment the router on a dedicated management VLAN with strict access controls
  • Implement network monitoring for suspicious command execution patterns on the router

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in web interface under System Tools > Firmware Version

Check Version:

Not applicable - check via web interface

Verify Fix Applied:

Verify firmware version has been updated beyond the vulnerable build

📡 Detection & Monitoring

Log Indicators:

  • Unusual NAPT rule creation with suspicious characters in rule names
  • Multiple failed authentication attempts followed by successful login

Network Indicators:

  • Unexpected outbound connections from router to external IPs
  • Unusual traffic patterns from router management interface

SIEM Query:

source="router_logs" AND (event="NAPT_rule_added" AND rule_name MATCHES "[;|&`$()]" OR event="admin_login" AND src_ip NOT IN trusted_ips)

📊 Metadata

CVE ID: CVE-2023-43138
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-77
Published: September 20, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-43138, you might also want to check these:

CVE-2024-48841 10.0

This critical vulnerability in FLXEON software allows remote attackers to execute arbitrary code wit...

Same vulnerability type (CWE-77)
CVE-2025-59818 10.0

This vulnerability allows authenticated attackers to execute arbitrary system commands by manipulati...

Same vulnerability type (CWE-77)
CVE-2024-28354 10.0

This is a critical command injection vulnerability in TRENDnet TEW-827DRU routers that allows remote...

Same vulnerability type (CWE-77)