A Cross-Site Scripting (XSS) vulnerability has been identified in the TP-Link Archer A20 v3 router, specifically in firmware version 1.0.6 Build 20231011 rel.85717(5553).
The issue stems from improper handling of directory listing paths on the router’s web interface. When a specially crafted URL is accessed, the router renders the directory listing and executes arbitrary JavaScript embedded in the URL.
This flaw allows attackers to inject malicious scripts into the page, potentially enabling further exploitation on a victim’s browser. The vulnerability has been classified as CVE-2024-57514 and has a Medium severity CVSS of 4.0.
Researcher Ravindu Wickramasinghe (@rvizx9) disclosed this issue, emphasizing its potential for misuse in targeted attacks.
PoC Exploit Released – CVE-2024-57514
The vulnerability resides in the web interface’s / path and its subdirectories, where improperly sanitizing directory listing paths allows JavaScript injection.
Are you from SOC/DFIR Teams? – Analyse Malware Files & Links with ANY.RUN Sandox -> Try for Free
However, due to the cookie path attribute scoped to /cgi-bin/luci, cookies related to this path remain inaccessible to attackers leveraging this XSS vulnerability.
While direct cookie theft is mitigated, other attack vectors, such as session hijacking or phishing, remain plausible depending on the broader system context.
By embedding such a script into a specially crafted URL, an attacker can force the router’s web interface to execute arbitrary code within a victim’s browser.
TP-Link has acknowledged the existence of this vulnerability but has stated that the Archer A20 v3 router has reached its End-of-Life (EOL) status under their End-of-Life Policy. Consequently, no patches or corrective actions will be issued for this model.
The company assured users that they are actively reviewing other models for potential vulnerabilities and implementing necessary security measures.
Security Implications
While the XSS vulnerability is rated as medium severity, it underscores risks associated with unpatched legacy devices. Attackers could exploit this flaw to:
- Execute malicious scripts on users’ browsers.
- Redirect victims to phishing sites or download malware.
- Conduct reconnaissance for further exploitation.
Given that no patch will be provided due to EOL status, affected users are advised to:
- Replace outdated routers with supported models.
- Restrict access to the router’s web interface using firewall rules.
- Avoid clicking on suspicious URLs related to the router’s interface.
The disclosure of CVE-2024-57514 highlights ongoing challenges in securing IoT devices like routers, especially those no longer receiving updates.
Users must adopt proactive measures to mitigate risks associated with unpatched vulnerabilities, while manufacturers should prioritize transparency and support for legacy devices.
Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar