First published: Fri Feb 18 2022(Updated: )
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of TP-Link TL-WR940N 3.20.1 Build 200316 Rel.34392n (5553) routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the parsing of file name extensions. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-13910.
Credit: zdi-disclosures@trendmicro.com
Affected Software | Affected Version | How to fix |
---|---|---|
Tp-link Tl-wr940n Firmware | <211111 | |
TP-Link TL-WR940N | ||
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The severity of CVE-2022-24355 is high with a severity value of 8.8.
CVE-2022-24355 can be exploited by network-adjacent attackers to execute arbitrary code on TP-Link TL-WR940N routers without authentication.
TP-Link TL-WR940N 3.20.1 Build 200316 Rel.34392n (5553) routers are affected by CVE-2022-24355.
No, authentication is not required to exploit CVE-2022-24355.
To fix CVE-2022-24355, update your TP-Link TL-WR940N router firmware to a version that addresses the vulnerability.