

Critical Windows Update Stack Flaw Enables Code Execution and Privilege Escalation
April 22, 2025
SideWinder APT Group aka Rattlesnake Targeting Pakistan – Active IOCs
April 22, 2025
Critical Windows Update Stack Flaw Enables Code Execution and Privilege Escalation
April 22, 2025
SideWinder APT Group aka Rattlesnake Targeting Pakistan – Active IOCs
April 22, 2025Severity
High
Analysis Summary
Multiple critical SQL injection vulnerabilities have been discovered in several TP-Link router models, exposing users to severe risks, including unauthorized access and full device compromise. Discovered by a security researcher, these flaws affect the login dashboards of TP-Link routers such as the EAP120, TL-WR840N, M7200, and M7450, all of which fail to properly sanitize input fields. These vulnerabilities enable unauthenticated attackers to inject malicious SQL code through the username and password fields, bypassing authentication mechanisms and gaining administrative control of the devices.
Each vulnerability is cataloged under a separate CVE. CVE-2025-29648 targets the TP-Link EAP120 (v1.0), allowing login bypass through SQL injection. CVE-2025-29649 affects the TL-WR840N (v1.0), where attackers can gain full control of the router, manipulate DNS, and intercept traffic. CVE-2025-29650 impacts the M7200 4G LTE Mobile Wi-Fi Router (firmware 1.0.7 Build 180127), allowing threat actors to steal credentials, conduct reconnaissance, and establish persistent access. Lastly, CVE-2025-29653 compromises the M7450 Mobile Wi-Fi Router (firmware 1.0.2 Build 170306), risking exposure of cellular data and IMSI information due to input sanitization flaws and unchanged default credentials.
These vulnerabilities are rated (Critical) on the scale due to their high potential impact and low exploitation complexity. They require only network access to the device’s web interface and do not demand authentication. Once exploited, attackers can intercept user communications, redirect traffic via DNS manipulation, and use the router as a pivot point to attack other systems within the network. The widespread use of these routers in both home and business environments amplifies the threat landscape significantly.
TP-Link has been informed, but no official patches have been released at the time of this publication. Users are advised to take immediate mitigation steps, including changing default administrative credentials, disabling remote management, and applying the latest available firmware updates. Additionally, network administrators should employ traffic monitoring tools to detect unusual behavior and remain vigilant for official security updates from TP-Link. These measures can help minimize risk until permanent fixes are provided.
Impact
- Sensitive Credential Theft
- SQL Injection
- Unauthorize Access
Indicators of Compromise
CVE
CVE-2025-29648
CVE-2025-29649
CVE-2025-29650
CVE-2025-29653
Affected Vendors
- TP-Link
Affected Products
- TP-Link EAP120 router (Version 1.0)
- TP-Link TL-WR840N router (Version 1.0)
- TP-Link M7200 4G LTE Mobile Wi-Fi Router (Firmware 1.0.7 Build 180127 Rel.55998n)
- TP-Link M7450 4G LTE Mobile Wi-Fi Router (Firmware 1.0.2 Build 170306 Rel.1015n)
Remediation
- Change default admin credentials immediately to strong, unique passwords.
- Disable remote management features on the router unless absolutely necessary.
- Update router firmware to the latest available version from TP-Link's official website.
- Use network monitoring tools to detect unusual or suspicious activity on your network.
- Limit access to the web management interface to trusted local devices only.
- Segment the network to reduce the impact if a router is compromised (e.g., separate guest and internal networks).
- Stay informed through TP-Link security advisories for upcoming patches or updates.
- Consider replacing vulnerable devices with newer, secure models if no patch becomes available.