CVE-2024-46340
📋 TL;DR
This vulnerability in TP-Link TL-WR845N routers transmits user credentials in plaintext after a factory reset, allowing attackers to intercept login credentials. It affects specific firmware versions of the TL-WR845N(UN)_V4 router models. Attackers on the same network can capture credentials and gain administrative access.
💻 Affected Systems
- TP-Link TL-WR845N(UN)_V4
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain administrative router access, change DNS settings, intercept all network traffic, install malware on connected devices, and pivot to internal networks.
Likely Case
Local network attackers capture admin credentials, reconfigure router settings, and monitor network traffic.
If Mitigated
With network segmentation and monitoring, impact limited to isolated network segment with detection of unusual router configuration changes.
🎯 Exploit Status
Exploitation requires network sniffing capabilities on the same network segment as the router after factory reset.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: None provided in references
Restart Required: No
Instructions:
Check TP-Link website for firmware updates. If update available: 1. Download firmware from TP-Link support site. 2. Log into router admin interface. 3. Navigate to System Tools > Firmware Upgrade. 4. Upload and apply new firmware. 5. Do NOT perform factory reset after update.
🔧 Temporary Workarounds
Avoid Factory Reset
allDo not perform factory reset on vulnerable routers. If reset is necessary, immediately change all credentials and monitor network traffic.
Network Segmentation
allIsolate router management interface to separate VLAN with restricted access.
🧯 If You Can't Patch
- Replace affected routers with different models or updated versions
- Implement strict network monitoring for credential transmission and unauthorized configuration changes
🔍 How to Verify
Check if Vulnerable:
Check router firmware version in admin interface under System Tools > Firmware Version. If version is 201214, 200909, or 190219, device is vulnerable.Check Version:
Login to router web interface and navigate to firmware version page, or check via SSH if enabled.Verify Fix Applied:
After firmware update, verify version changed from vulnerable versions. Use network sniffer to confirm credentials are encrypted after factory reset.📡 Detection & Monitoring
Log Indicators:
- Multiple failed login attempts after factory reset
- Router configuration changes from unknown IPs
- Unusual admin login times/locations
Network Indicators:
- Plaintext HTTP POST requests containing admin credentials after factory reset
- Unencrypted authentication traffic to router IP
SIEM Query:
source="router_logs" AND (event="factory_reset" OR event="login" AND credential="plaintext")