The US cybersecurity agency CISA issued a fresh warning that a missing authentication vulnerability in TP-Link TL-WA855RE Wi-Fi range extender products has been exploited in attacks.
Tracked as CVE-2020-24363 (CVSS score of 8.8), the flaw is described as a missing authentication for a critical function issue that allows an attacker on the same network to send unauthenticated requests for a factory reset and reboot.
“The attacker can then obtain incorrect access control by setting a new administrative password,” a NIST advisory reads.
In August 2020, malwrforensics warned that, although the device’s web interface requires authentication to access administrative controls, unauthenticated attackers can send TDDP_RESET POST requests and circumvent the mechanism.
“However, an attacker can bypass it and use the APIs provided to send the TDDP_RESET code which doesn’t have any authentication,” malwrforensics said.
TP-Link resolved the vulnerability over half a decade ago, in firmware release (EU)_V5_200731, and has since released several other firmware updates for the extender. However, the TL-WA855RE extender is now marked as discontinued on the company’s website.
On Tuesday, CISA added CVE-2020-24363 to its Known Exploited Vulnerabilities (KEV) catalog along with the recently disclosed WhatsApp zero-day, urging federal agencies to address both by September 23.
“The impacted products could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization,” CISA notes in CVE-2020-24363’s description.
There appear to be no reports on the CVE’s in-the-wild exploitation prior to CISA’s warning, but proof-of-concept (PoC) exploit code targeting the vulnerability has been publicly available since July 2020.
Related: Sangoma Patches Critical Zero-Day Exploited to Hack FreePBX Servers
Related: WhatsApp Zero-Day Exploited in Attacks Targeting Apple Users
Related: Thousands of SaaS Apps Could Still Be Susceptible to nOAuth
Related: Microsoft Using AI to Uncover Critical Bootloader Vulnerabilities
