CVE-2024-46325
📋 TL;DR
TP-Link WR740N V6 routers have a stack overflow vulnerability in the web interface's site survey page. Attackers can exploit this by sending specially crafted SSID parameters to cause buffer overflows, potentially leading to remote code execution. This affects all users of TP-Link WR740N V6 routers with default configurations.
💻 Affected Systems
- TP-Link WR740N
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution with root privileges, allowing complete device takeover, network compromise, and lateral movement to connected devices.
Likely Case
Device crash/reboot causing denial of service, or limited code execution for information disclosure.
If Mitigated
Denial of service only if exploit attempts are blocked or fail.
🎯 Exploit Status
Exploit requires authentication to the web interface. Public proof-of-concept exists in GitHub repository. Weaponization likely due to low complexity and public PoC.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not available
Vendor Advisory: Not found in provided references
Restart Required: No
Instructions:
1. Check TP-Link website for firmware updates for WR740N V6. 2. If update available, download from official TP-Link site. 3. Log into router web interface. 4. Navigate to System Tools > Firmware Upgrade. 5. Upload and apply new firmware. 6. Wait for router to reboot.
🔧 Temporary Workarounds
Disable Remote Management
allPrevent external access to vulnerable web interface
Log into router web interface > Security > Remote Management > Disable
Change Default Credentials
allPrevent unauthorized access to web interface
Log into router web interface > System Tools > Password > Change admin password
Network Segmentation
allIsolate router management interface from untrusted networks
Configure firewall rules to restrict access to router IP on ports 80/443 to trusted IPs only
🧯 If You Can't Patch
- Replace affected router with newer model that receives security updates
- Implement strict network access controls to limit who can reach router management interface
🔍 How to Verify
Check if Vulnerable:
Check router model and version via web interface (Status > Router Information) or sticker on device. If model is WR740N and version is V6, assume vulnerable.Check Version:
curl -s http://router-ip/userRpm/StatusRpm.htm | grep -i 'wr740n' or check web interface manuallyVerify Fix Applied:
Check firmware version after update. If no update available from vendor, vulnerability remains.📡 Detection & Monitoring
Log Indicators:
- Multiple failed authentication attempts followed by POST requests to /userRpm/popupSiteSurveyRpm.htm with long SSID parameters
- Router crash/reboot logs
Network Indicators:
- Unusual POST requests to router IP on port 80/443 with long parameter values
- Traffic to /userRpm/popupSiteSurveyRpm.htm endpoint
SIEM Query:
source="router_logs" AND (url="/userRpm/popupSiteSurveyRpm.htm" OR (event="crash" AND device_model="WR740N"))