Login Sign Up

CVE-2024-12343

6.5 MEDIUM
Remote Code Execution Denial of Service Buffer Overflow

📋 TL;DR

A critical buffer overflow vulnerability in TP-Link VN020 F3v(T) routers allows attackers within the local network to execute arbitrary code or cause denial-of-service by manipulating SOAP requests. This affects the router's WANIPConnection component via the NewConnectionType argument. Only devices on the local network are at risk, but exploitation could lead to full device compromise.

💻 Affected Systems

Products:
  • TP-Link VN020 F3v(T)
Versions: TT_V6.2.1021
Operating Systems: Embedded router OS
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects this specific model and firmware version; other TP-Link devices are not confirmed vulnerable.

📦 What is this software?

Vn020 F3v Firmware by Tp Link

View all CVEs affecting Vn020 F3v Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to full router compromise, data interception, or persistent backdoor installation.

🟠

Likely Case

Denial-of-service causing router crashes or instability, potentially disrupting network connectivity.

🟢

If Mitigated

Limited impact if network segmentation restricts access to the router's management interface.

🌐 Internet-Facing: LOW, as the exploit requires local network access and is not directly reachable from the internet.
🏢 Internal Only: HIGH, because attackers on the local network can exploit it without authentication.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploit code is publicly available on GitHub, making attacks easier for local network adversaries.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.tp-link.com/

Restart Required: No

Instructions:

Check TP-Link's website for firmware updates; if unavailable, consider workarounds or replacement.

🔧 Temporary Workarounds

Restrict Local Network Access

all

Segment the network to limit which devices can communicate with the router's management interface.

Disable Unused Services

all

Turn off SOAP or other remote management features if not required.

🧯 If You Can't Patch

  • Replace the router with a patched or unaffected model.
  • Implement strict network access controls and monitor for suspicious SOAP traffic.

🔍 How to Verify

Check if Vulnerable:

Check the router's firmware version via its web interface; if it matches TT_V6.2.1021, it is vulnerable.

Check Version:

Log into the router's admin panel and navigate to System Tools > Firmware Upgrade to view the current version.

Verify Fix Applied:

Update firmware if available and confirm the version no longer matches the vulnerable one.

📡 Detection & Monitoring

Log Indicators:

  • Unusual SOAP requests to /control/WANIPConnection with manipulated NewConnectionType parameters.

Network Indicators:

  • Spikes in traffic to the router's management port (typically 80/443) from internal IPs.

SIEM Query:

source_ip IN (internal_range) AND dest_port IN (80,443) AND uri_path CONTAINS '/control/WANIPConnection' AND http_method = 'POST'

📊 Metadata

CVE ID: CVE-2024-12343
CVSS v3 Score: 6.5 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-119
Published: December 8, 2024
Last Updated: December 10, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-12343, you might also want to check these:

CVE-2024-23613 10.0

A critical buffer overflow vulnerability in Symantec Deployment Solution 7.9 allows remote, unauthen...

Same vulnerability type (CWE-119)
CVE-2024-23615 10.0

A critical buffer overflow vulnerability in Symantec Messaging Gateway allows remote unauthenticated...

Same vulnerability type (CWE-119)
CVE-2026-2776 10.0

This CVE describes a sandbox escape vulnerability in Firefox's Telemetry component due to incorrect ...

Same vulnerability type (CWE-119)