Finding a RCE in my old TP-Link router
A security researcher discovered a remote code execution vulnerability in an old TP-Link TL-MR6400 router by analyzing publicly accessible firmware from an open S3 bucket. The vulnerability lies in the undocumented 'mdlog prepare' command within the router's telnet interface, which fails to sanitize user input when processing a JSON configuration file. This flaw allows an attacker to execute arbitrary commands and gain full root access to the device.
Opening excerpt (first ~120 words) tap to expand
Finding a RCE in my old TP-Link router I was eating lunch one day in late December (2025), and was reading an article by Simone Margaritelli about several TP-Link vulnerabilities he found in his IP Camera. After finishing both the article and my toast, I realised two things: I had my own TP-Link router collecting dust in a cupboard. The firmware blobs for it were stored on an open S3 bucket, which would make it incredibly easy to reverse engineer. With this in mind, I dusted off my old router and got to work. Acquiring the firmware First things first, I downloaded a list of all possible firmware from TP-Link’s S3 bucket.
…
Excerpt limited to ~120 words for fair-use compliance. The full article is at Mrbruh.
Discussion
0 commentsMore from Mrbruh
