Popular TP-Link Gaming Router Scores Rare CVSS 10.0 Vulnerability Rating, Patch ASAP

TP-Link Archer C5400X router on a dark blue background.
TP-Link has issued an important firmware update for its Archer C5400X wireless router for gamers, a popular tri-band model that debuted several years ago and was branded as being "recommended" for NVIDIA's GeForce NOW cloud gaming service. Left unpatched, owners of the affected model could succumb to a nasty attack that would enable remote hackers to wreak havoc from afar.

Tracked as CVE-2-24-5035, the 'Critical' vulnerability carries a CVSS (Common Vulnerability Scoring System) score of 10.0, which is the highest severity rating possible. Relatively few vulnerabilities get scored a 10.0—usually the most severe vulnerabilities top out at 9.8 (anything 9 and above is rated as Critical).

"The affected device expose a network service called 'rftest' that is vulnerable to unauthenticated command injection on ports TCP/8888, TCP/8889, and TCP/8890. By successfully exploiting this flaw, remote unauthenticated attacker can gain arbitrary command execution on the device with elevated privileges," the CVSS advisory reads.

Back view of TP-Link's Archer C5400X router and its ports.

Security researchers at ONEKEY discovered the flaw, noting that it was able to reproduce the issue via emulation. For anyone interested, ONEKEY offers a technical breakdown of the vulnerability, but the key takeaway is that owners of the affected model should fetch and install the latest firmware update sooner than later.

"It seems the need to provide a wireless device configuration API at TP-Link had to be answered either fast or cheap, which ended up with them exposing a supposedly limited shell over the network that clients within the router could use as a way to configure wireless devices. With details of this 'API' abstracted away, the fact that it does indeed expose a shell remotely due to insecure coding practices got lost in the review process," ONEKEY explains.

The flaw affects all Archer C5400X firmware build version 1_1.1.6 and earlier. Fortunately, TP-Link has issued a new firmware version (1_1.1.7) that mitigates the issue. If you own this gaming router, head over to TP-Link's support page and download the latest build.