ZeroDay Vulnerability in TP-Link Router

An active a zero day vulnerability in the TP-Link device with model number TL-XVR1800L, which is primarily suited to enterprises.

The identified vulnerability enables Remote Code Execution which grants the ability to takeover of the device and then use it for malicious purposes, as well as to steal sensitive data.

The affected device is orientated towards the enterprise segment and supports Wi-Fi 6. The main goal of this new standard is enhancing throughput-per-area in high-density scenarios, such as corporate offices, shopping malls and dense residential apartments.

Researchers shared PoC with TP-Link of how Remote Code Execution was achieved on the target device, along with multiple other vulnerabilities that identified by cause of abnormal traffic monitoring which consisted of a network of “honeypot” sensors to emulate common IoT devices.

Ongoing attacks were discovered while monitoring the activity of a threat actor known for targeting networks and IoT devices. The productions version of 0-day exploit was initially spotted in the wild known as “TP-Linker”, the tool available for sale in the Chinese segment of the Dark Web.

The actors are attacking insecure IoT devices and are involved in large scale traffic manipulation including online banking theft activity.

Earlier also TP-Link has faced critical vulnerabilities in their product line up, such bugs are widely leveraged by threat actors building IoT-based botnets like Mirai for further DDoS attacks and other malicious activities.

Insecurity of IoT devices remains a challenging cybersecurity issue and creates a vast flaw in the external network perimeter of companies which allows attackers to penetrate and steal sensitive data too.