CVE-2020-35575 — CRITICAL (9.8)

Q: How severe is CVE-2020-35575?

CVE-2020-35575 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Q: Is there a patch for CVE-2020-35575?

Check the references section above for vendor advisories and patch information. Affected products include: Tp-Link Wa901Nd Firmware, Tp-Link Wa901Nd, Tp-Link Archer C5 Firmware, Tp-Link Archer C5, Tp-Link Archer C7 Firmware.

Vulnerability Description

A password-disclosure issue in the web interface on certain TP-Link devices allows a remote attacker to get full administrative access to the web panel. This affects WA901ND devices before 3.16.9(201211) beta, and Archer C5, Archer C7, MR3420, MR6400, WA701ND, WA801ND, WDR3500, WDR3600, WE843N, WR1043ND, WR1045ND, WR740N, WR741ND, WR749N, WR802N, WR840N, WR841HP, WR841N, WR842N, WR842ND, WR845N, WR940N, WR941HP, WR945N, WR949N, and WRD4300 devices.

CVSS Score

9.8

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Tp-Link	Wa901Nd Firmware	< 3.16.9\(201211\)_beta
Tp-Link	Wa901Nd	-
Tp-Link	Archer C5 Firmware	-
Tp-Link	Archer C5	-
Tp-Link	Archer C7 Firmware	-
Tp-Link	Archer C7	-
Tp-Link	Mr3420 Firmware	-
Tp-Link	Mr3420	-
Tp-Link	Mr6400 Firmware	-
Tp-Link	Mr6400	-
Tp-Link	Wa701Nd Firmware	-
Tp-Link	Wa701Nd	-
Tp-Link	Wa801Nd Firmware	-
Tp-Link	Wa801Nd	-
Tp-Link	Wdr3500 Firmware	-
Tp-Link	Wdr3500	-
Tp-Link	Wdr3600 Firmware	-
Tp-Link	Wdr3600	-
Tp-Link	We843N Firmware	-
Tp-Link	We843N	-

References

http://packetstormsecurity.com/files/163274/TP-Link-TL-WR841N-Command-Injection.ExploitThird Party AdvisoryVDB Entry
https://pastebin.com/F8AuUdckThird Party Advisory
https://static.tp-link.com/2020/202012/20201214/wa901ndv5_eu_3_16_9_up_boot%2820
https://www.tp-link.com/us/securityVendor Advisory
http://packetstormsecurity.com/files/163274/TP-Link-TL-WR841N-Command-Injection.ExploitThird Party AdvisoryVDB Entry
https://pastebin.com/F8AuUdckThird Party Advisory
https://static.tp-link.com/2020/202012/20201214/wa901ndv5_eu_3_16_9_up_boot%2820
https://www.tp-link.com/us/securityVendor Advisory

FAQ

What is CVE-2020-35575?

CVE-2020-35575 is a vulnerability with a CVSS score of 9.8 (CRITICAL). A password-disclosure issue in the web interface on certain TP-Link devices allows a remote attacker to get full administrative access to the web panel. This affects WA901ND devices before 3.16.9(2012...

How severe is CVE-2020-35575?

CVE-2020-35575 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2020-35575?

Check the references section above for vendor advisories and patch information. Affected products include: Tp-Link Wa901Nd Firmware, Tp-Link Wa901Nd, Tp-Link Archer C5 Firmware, Tp-Link Archer C5, Tp-Link Archer C7 Firmware.