April 27, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Multiple Adobe Products Vulnerabilities
March 18, 2025Alerts on StilachiRAT: A Stealthy Threat to Credentials and Crypto Wallets – Active IOCs
March 18, 2025Multiple Adobe Products Vulnerabilities
March 18, 2025Alerts on StilachiRAT: A Stealthy Threat to Credentials and Crypto Wallets – Active IOCs
March 18, 2025
Severity
High
Analysis Summary
A newly discovered critical vulnerability, CVE-2024-57040, affecting TP-Link TL-WR845N routers has been assigned a CVSS score of 9.8 due to hardcoded root credentials stored in publicly accessible firmware files. Researchers from the IoT Security Research found that MD5-hashed root passwords are stored in plaintext within firmware files “squashfs-root/etc/passwd” and “squashfs-root/etc/passwd.bak.” These credentials, easily cracked to reveal the password “1234” with the username “admin,” provide attackers with unauthorized root-level access. All known firmware versions of the TL-WR845N router, including TL-WR845N(UN)_V4_190219, TL-WR845N(UN)_V4_200909, and TL-WR845N(UN)_V4_201214, are vulnerable.
Exploitation of this vulnerability can occur through two primary methods: physical access to extract SPI Flash memory or downloading the firmware directly from TP-Link’s official website, as all versions share the same flaw. Tools such as Binwalk allow attackers to extract and analyze the firmware, revealing the credentials with simple commands like cat passwd. Additionally, using UART port communication, attackers can log in with the discovered credentials and gain complete administrative control over the router. This access enables them to intercept network traffic, modify firmware, install persistent backdoors, and even move laterally to compromise other devices on the same network.
Given the severity of this flaw, users face significant risks, especially if attackers leverage authentication bypass vulnerabilities found in similar TP-Link models like TL-WR840N and TL-WR841N. These flaws could allow remote exploitation, making the attack even more dangerous. Currently, TP-Link has not released a security patch, leaving users exposed. As a precaution, affected users should immediately change the router’s admin password to a strong alternative, secure physical access to the device, disable unnecessary remote access services like SSH and Telnet, and monitor for unauthorized activity.
This latest discovery underscores the persistent security challenges in consumer routers, following similar critical issues in TP-Link devices. Until TP-Link releases a firmware update, users should remain vigilant and check the router’s management interface at http://tplinkwifi.net for potential security patches. This incident highlights the importance of regularly updating router firmware and taking proactive security measures to prevent unauthorized access.
Impact
- Gain Access
Indicators of Compromise
CVE
CVE-2024-57040
Affected Vendors
- TP-Link
Affected Products
- TP-Link TL-WR845N(UN) - 4_190219
- TP-Link TL-WR845N(UN) - 4_200909
Remediation
Refer to TP-Link Security Advisory for patch, upgrade, or suggested workaround information.
