CVE-2023-44447 – This vulnerability allows attackers on the same... (How to Fix)

Q: What is the severity of CVE-2023-44447?

CVE-2023-44447 has a CVSS score of 6.5 (MEDIUM). This vulnerability allows attackers on the same network to access the TP-Link TL-WR902AC router's web interface without authentication and retrieve stored credentials. It affects TP-Link TL-WR902AC routers with vulnerable firmware versions. Network-adjacent attackers can exploit this to gain unauthorized access to router credentials.

📋 TL;DR

This vulnerability allows attackers on the same network to access the TP-Link TL-WR902AC router's web interface without authentication and retrieve stored credentials. It affects TP-Link TL-WR902AC routers with vulnerable firmware versions. Network-adjacent attackers can exploit this to gain unauthorized access to router credentials.

💻 Affected Systems

Products:

TP-Link TL-WR902AC

Versions: Specific vulnerable firmware versions not specified in CVE description; likely multiple versions before patch

Operating Systems: Embedded router firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the httpd service on TCP port 80. Requires attacker to be on the same network segment as the router.

📦 What is this software?

Tl Wr902ac Firmware by Tp Link

View all CVEs affecting Tl Wr902ac Firmware →

Tl Wr902ac Firmware by Tp Link

View all CVEs affecting Tl Wr902ac Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers obtain administrative credentials, take full control of the router, redirect traffic, intercept communications, and use the router as a pivot point to attack other devices on the network.

🟠

Likely Case

Attackers retrieve router admin credentials, change router settings, monitor network traffic, and potentially compromise connected devices.

🟢

If Mitigated

With proper network segmentation and access controls, impact is limited to the router itself without lateral movement to other systems.

🌐 Internet-Facing: LOW (requires network adjacency, not directly internet exploitable unless router's admin interface is exposed to WAN)

🏢 Internal Only: HIGH (any device on the same network segment can exploit without authentication)

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

ZDI-CAN-21529 tracking suggests detailed technical analysis exists. Exploitation requires network access but no authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check TP-Link firmware updates for TL-WR902AC

Vendor Advisory: https://www.tp-link.com/us/support/download/tl-wr902ac/

Restart Required: Yes

Instructions:

1. Log into router admin interface. 2. Navigate to System Tools > Firmware Upgrade. 3. Download latest firmware from TP-Link website. 4. Upload and install firmware. 5. Router will reboot automatically.

🔧 Temporary Workarounds

Disable HTTP admin access

all

Disable HTTP web interface and use HTTPS only if supported

Router-specific: Admin interface > Security > Remote Management > Disable HTTP

Restrict admin interface access

all

Limit admin interface access to specific IP addresses or MAC addresses

Router-specific: Admin interface > Security > Access Control

🧯 If You Can't Patch

Segment router management to separate VLAN with strict access controls
Implement network monitoring for unauthorized access attempts to router admin interface

🔍 How to Verify

Check if Vulnerable:

Check firmware version in router admin interface under System Tools > Firmware Upgrade and compare with latest version on TP-Link website

Check Version:

Router-specific: Access admin interface and check firmware version in System Tools section

Verify Fix Applied:

After firmware update, verify version matches patched release and test that unauthenticated access to credential endpoints is blocked

📡 Detection & Monitoring

Log Indicators:

Multiple failed authentication attempts followed by successful credential access
Unauthenticated requests to credential-related endpoints

Network Indicators:

Unusual HTTP requests to router IP on port 80 from internal hosts
Traffic patterns suggesting credential harvesting

SIEM Query:

source_ip=internal_network AND dest_ip=router_ip AND dest_port=80 AND (uri_contains="login" OR uri_contains="credential" OR uri_contains="password")

📊 Metadata

CVE ID: CVE-2023-44447

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-290

Published: May 3, 2024

Last Updated: September 4, 2025

🔗 References

https://www.zerodayinitiative.com/advisories/ZDI-23-1623/ Third Party Advisory
https://www.zerodayinitiative.com/advisories/ZDI-23-1623/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-44447, you might also want to check these: