CVE-2023-31756

Name of the Vulnerable Software and Affected Versions TP-Link Archer VR1600V versions <= 0.1.0, 0.9.1 v5006.0 Build 220518 Rel.32480n

Description A command injection issue exists in the administrative web portal of TP-Link Archer VR1600V devices. This allows remote attackers, authenticated as administrator users, to open an operating system level shell via the X TP IfName parameter. Exploitation of this issue can enable an attacker to read, modify, or delete files, execute arbitrary commands, or cause a denial of service by sending specially crafted HTTP requests.

Recommendations For TP-Link Archer VR1600V versions <= 0.1.0, 0.9.1 v5006.0 Build 220518 Rel.32480n, consider disabling access to the administrative web portal until a patch is available. As a temporary workaround, restrict the use of the X TP IfName parameter in the affected API endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.