CVE-2024-21773

Summary

Multiple TP-LINK products allow a network-adjacent unauthenticated attacker with access to the product from the LAN port or Wi-Fi to execute arbitrary OS commands on the product that has pre-specified target devices and blocked URLs in parental control settings.

Affected Software

VendorProductVersion RangeStatus
TP-LinkArcher AX3000firmware versions prior to "Archer AX3000(JP)_V1_1.1.2 Build 20231115"affected
TP-LinkArcher AX5400firmware versions prior to "Archer AX5400(JP)_V1_1.1.2 Build 20231115"affected
TP-LinkDeco X50firmware versions prior to "Deco X50(JP)_V1_1.4.1 Build 20231122"affected
TP-LinkDeco XE200firmware versions prior to "Deco XE200(JP)_V1_1.2.5 Build 20231120"affected
TP-LinkArcher Air R5firmware versions prior to "Archer Air R5(JP)_V1_1.1.6 Build 20240508"affected

Weaknesses

  • Information disclosure

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References