Exclusive: Resecurity discovered 0-day vulnerability in TP-Link Wi-Fi 6 devices

Resecurity researchers found a zero-day vulnerability in the TP-Link enterprise device with model number TL-XVR1800L.

Resecurity, a Los Angeles-based cybersecurity company has identified an active a zero-day vulnerability in the TP-Link device with model number TL-XVR1800L (Enterprise AX1800 Dual Band Gigabit Wi-Fi 6 Wireless VPN Router), which is primarily suited to enterprises.

The identified vulnerability enables Remote Code Execution (RCE) which grants the ability to takeover of the device and then use it for malicious purposes, as well as to steal sensitive data too. It’s likely this vulnerability is present in other devices from the same family.

The affected device is orientated towards the enterprise segment and supports Wi-Fi 6 (the next-generation wireless standard which is faster than 802.11ac). Wi-Fi 6 officially arrived in late 2019, and Wi-Fi 6 enabled hardware was released throughout 2020. The main goal of this new standard is enhancing throughput-per-area in high-density scenarios, such as corporate offices, shopping malls and dense residential apartments.

Resecurity notified TP-Link on November 19th 2021, and received acknowledgment the very next day. TP-Link said they’re going to release a patch in a week (currently the 0-day vulnerability is in the wild). Resecurity shared Proof-of-Concept with TP-Link of how Remote Code Execution was achieved on the target device, along with multiple other vulnerabilities.

Below is the video PoC of the zero-day exploitation:

According to Resecurity, the vulnerability was identified by the cause of abnormal traffic monitoring which consisted of a network of “honeypot” sensors to emulate common IoT devices developed by Resecurity are to hunt for malice on the internet.

Ongoing attacks were discovered by Resecurity’s researchers while monitoring the activity of a threat actor know for targeting networks and IoT devices since early October 2021.

Notably, the productized version of 0-day exploit was initially spotted by Resecurity’s HUNTER unit “in the wild” known as “TP-Linker”, the tool available for sale in the Chinese-speaking segment of the Dark Web.

Based on additional context – the actors are attacking insecure IoT devices and are involved in large-scale traffic manipulation including online-banking theft activity.

It’s not the 1st time TP-Link has faced critical vulnerabilities in their product line up, such bugs are widely leveraged by threat actors building IoT-based botnets like Mirai for further DDoS attacks and other malicious activities.

Insecurity of IoT devices remains a challenging cybersecurity issue and creates a vast flaw in the external network perimeter of companies which allows attackers to penetrate and steal sensitive data too.

Last year researchers found thousands of vulnerable TP-Link routers which took more than a year for the company to publish patches on their website. This year, cybersecurity researchers from the Flashback Team found and exploited critical vulnerabilities in another device by TP-Link Archer AC1750 at Pwn2Own Tokyo

Follow me on Twitter: @securityaffairs and Facebook

About the author: Resecurity Chief Executive Officer Gene Yoo

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, zero-day)

[adrotate banner=”5″]

[adrotate banner=”13″]