CVE-2023-49913 – A stack-based buffer overflow vulnerability in ... (How to Fix)

Q: What is the severity of CVE-2023-49913?

CVE-2023-49913 has a CVSS score of 7.2 (HIGH). A stack-based buffer overflow vulnerability in TP-Link EAP225/EAP115 access points allows authenticated attackers to execute arbitrary code via specially crafted HTTP requests to the web interface's Radio Scheduling functionality. This affects organizations using these specific access point models with vulnerable firmware versions. Attackers can gain full control of the device.

📋 TL;DR

A stack-based buffer overflow vulnerability in TP-Link EAP225/EAP115 access points allows authenticated attackers to execute arbitrary code via specially crafted HTTP requests to the web interface's Radio Scheduling functionality. This affects organizations using these specific access point models with vulnerable firmware versions. Attackers can gain full control of the device.

💻 Affected Systems

Products:

TP-Link EAP225 V3
TP-Link EAP115

Versions: EAP225 v5.1.0 Build 20220926 and earlier; EAP115 v5.0.4 Build 20220216 and earlier

Operating Systems: Embedded firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated access to web interface. Affects Radio Scheduling functionality specifically.

📦 What is this software?

Eap115 Firmware by Tp Link

View all CVEs affecting Eap115 Firmware →

Eap225 Firmware by Tp Link

View all CVEs affecting Eap225 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the access point leading to network pivoting, credential harvesting, man-in-the-middle attacks, and persistent backdoor installation.

🟠

Likely Case

Unauthorized access to network traffic, device configuration changes, and potential lateral movement to connected systems.

🟢

If Mitigated

Limited to authenticated attackers only, with proper network segmentation preventing lateral movement.

🌐 Internet-Facing: HIGH if web interface exposed to internet, as authenticated attackers can exploit remotely.

🏢 Internal Only: MEDIUM to HIGH depending on internal network segmentation and authentication controls.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Detailed technical analysis and proof-of-concept available in Talos reports. Requires authentication but exploit is well-documented.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check TP-Link security advisories for latest patched versions

Vendor Advisory: https://www.tp-link.com/support/security/

Restart Required: Yes

Instructions:

1. Check current firmware version via web interface. 2. Download latest firmware from TP-Link support site. 3. Upload firmware via web interface System Tools > Firmware Upgrade. 4. Reboot device after upgrade completes.

🔧 Temporary Workarounds

Disable web interface access

all

Restrict access to management interface to trusted IPs only

Configure firewall rules to block external access to port 80/443 on AP management IP

Disable Radio Scheduling feature

all

Turn off vulnerable functionality if not required

Navigate to Radio Scheduling in web interface and disable all scheduling

🧯 If You Can't Patch

Segment access points on isolated VLAN with strict firewall rules
Implement strong authentication and limit admin access to minimum required users

🔍 How to Verify

Check if Vulnerable:

Check firmware version in web interface: System Tools > Firmware Upgrade. Compare with vulnerable versions listed above.

Check Version:

Web interface: System Tools > Firmware Upgrade shows current version

Verify Fix Applied:

Verify firmware version is newer than vulnerable versions and test Radio Scheduling functionality.

📡 Detection & Monitoring

Log Indicators:

Multiple HTTP POST requests to /cgi-bin/luci/ with action parameter manipulation
Unusual authentication attempts to web interface

Network Indicators:

HTTP traffic to access point management interface with unusual parameter lengths
Traffic patterns suggesting buffer overflow attempts

SIEM Query:

source="access_point_logs" AND (url="/cgi-bin/luci/" AND method="POST" AND param="action" AND length>threshold)

📊 Metadata

CVE ID: CVE-2023-49913

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-121

Published: April 9, 2024

Last Updated: November 4, 2025

🔗 References

https://talosintelligence.com/vulnerability_reports/TALOS-2023-1888 Exploit,Third Party Advisory
https://talosintelligence.com/vulnerability_reports/TALOS-2023-1888 Exploit,Third Party Advisory
https://www.talosintelligence.com/vulnerability_reports/TALOS-2023-1888

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-49913, you might also want to check these: