A newly discovered zero-day vulnerability in the CWMP implementation of TP-Link routers poses a serious security risk to thousands of users worldwide.
The vulnerability was identified in January 2025 through automated taint analysis and reported to TP-Link on May 11. Patches are still lacking, meaning the danger remains real and immediate.
CWMP, also known as TR-069, allows providers to manage routers remotely. This functionality is useful, but the combination of complexity and privileges makes the protocol an attractive target. Research revealed a stack-based buffer overflow in the function that processes SetParameterValues SOAP messages. The vulnerability affects several popular models, including the Archer AX10 and AX1500.
The analysis showed that input from external messages is used directly to calculate a buffer length. This value is then passed to a strncpy operation without any boundary checks, while the stack buffer is only 3072 bytes in size. With a payload of 4096 bytes, the exploit managed to crash the service and confirmed that the program counter can be overwritten. This means that complete system compromise with root privileges is achievable.
The exploit was tested with a proof-of-concept in which manipulated SOAP messages were sent via a GenieACS server. The vulnerable router crashed, and further analysis showed that exactly 3112 bytes were needed to overwrite the control register. With a specially constructed payload, researchers were able to fully control the program counter, unequivocally confirming the remote code execution scenario.
Large number of devices at risk
The problem is not limited to two models. Since TP-Link reuses identical binary files, other devices are also at risk. The Fofa search engine identified more than 4,200 publicly accessible vulnerable devices. This means that the impact is not theoretical, but directly visible on the internet.
What makes this zero-day particularly dangerous is that the requirements for an attack are easily achievable. Many routers still run on default passwords or have weak security settings. Once an attacker gains access to the configuration, the CWMP server address can be changed to a malicious ACS server. That server can then deliver exploits that lead to complete takeover of the device. Because setting up such a server is relatively easy and certificate validation is often poorly implemented, there is a high risk that this attack vector will be actively exploited.
The disclosure timeline underscores the urgency. The vulnerability was discovered in January and reported to TP-Link on May 11, but remains unresolved today. This initial public disclosure indicates that users must take measures themselves for the time being. Until updates are available, the advice is to immediately set strong passwords, disable TR-069 if possible, and closely monitor network activity.