Friday , July 10 2026

CVE-2023-28760
TP-Link Router Flaw Allows Root RCE via LAN, PoC Available

Rocco Calvi, a security researcher, discovered a serious flaw in the TP-Link AX1800 WiFi 6 Router (Archer AX21/AX20) that enables local network attackers to execute code remotely as the root user.

CVE-2023-28760 is a high-severity vulnerability (CVSS 7.5) in the MiniDLNA service of the router’s media-sharing feature. As described in the CVE Records, “TP-Link AX1800 WiFi 6 Router (Archer AX21) devices allow unauthenticated attackers (on the LAN) to execute arbitrary code as root via the db_dir field to minidlnad. The attacker obtains the ability to modify files.db, and that can be used to reach a stack-based buffer overflow in minidlna-1.1.2/upnpsoap.c.”

How Hacker Compromise AWS Cloud Environment Using AI in 72 Hours

A major AWS attack shows how attackers with AI can connect known cloud strategies to go from first access to...
Read More
How Hacker Compromise AWS Cloud Environment Using AI in 72 Hours

Mycelium Framework: First AI-as-a-Service Botnet

A new cybercrime ad is catching attention in the security world. It talks about a botnet that doesn't just get...
Read More
Mycelium Framework: First AI-as-a-Service Botnet

CrowdStrike Shows 5 New Prompt Injection Techniques for AI Agents

CrowdStrike has shared five new ways to inject prompts, showing the rising danger to AI agents as more organizations use...
Read More
CrowdStrike Shows 5 New Prompt Injection Techniques for AI Agents

Critical GCP Dialogflow Vulnerability Allows Malicious Code Injection

A critical flaw in Google Cloud Platform’s Dialogflow CX lets attackers add harmful code to a company's AI chatbot system....
Read More
Critical GCP Dialogflow Vulnerability Allows Malicious Code Injection

CIRT identified 153 publicly exposed FortiGate devices in Bangladesh

CIRT identified 153 publicly exposed FortiGate devices in Bangladesh. In an advisory CIRT said, the campaign has been observed globally,...
Read More
CIRT identified 153 publicly exposed FortiGate devices in Bangladesh

Thousands of MCP Servers Exposed to File Access and Injection Attacks

Thousands of Model Context Protocol (MCP) servers have serious security flaws like file access issues, command injection, server-side request forgery...
Read More
Thousands of MCP Servers Exposed to File Access and Injection Attacks

CERT/CC Alerts to Hidden Admin Backdoor in Tenda Router Firmware

Several Tenda firmware versions have a hidden backdoor that lets people gain admin access to the device's web interface. An...
Read More
CERT/CC Alerts to Hidden Admin Backdoor in Tenda Router Firmware

Daily Cyber security update for 6. 07. 2026

Cyberattacks are rising around the world, including ransomware, malware, data leaks, and hacked websites. These events show how complex and...
Read More
Daily Cyber security update for 6. 07. 2026

“Bad Epoll” 0-Day Vulnerability Allows Root Access on Linux Servers, Android Devices

A new Linux flaw called “Bad Epoll” (CVE-2026-46242) lets regular users get root access on Linux servers, desktops, and Android...
Read More
“Bad Epoll” 0-Day Vulnerability Allows Root Access on Linux Servers, Android Devices

An AI performed a cyber attack without any human help for the first time

Security experts found what they think is the first time an AI carried out a cyber attack all by itself....
Read More
An AI performed a cyber attack without any human help for the first time

The flaw affects devices where users have hooked up a USB drive for local file sharing, commonly accessed through \\192.168.0.1, a setup used by many homes for streaming and storage.

The discovery centers around a weakness in the .TPDLNA/files.db database created when Media Sharing is enabled on the router. According to Calvi, “By default, Samba for Windows and Local FTP are enabled, and Media Sharing is enabled on the device, which means that the MiniDLNA, ProFTPd, and Samba services will start automatically for the USB share.”

Attackers on the same LAN can manipulate the database via SMB or FTP due to a design flaw. This vulnerability comes from improper bounds checking in the SQL query result processing of MiniDLNA.

“During our static code analysis of the file minidlna-1.1.2/upnpsoap.c, we identified a vulnerability that resulted from improper bounds checking… the vendor assumed that the vulnerability was not reachable by an attacker and therefore did not patch it.”

This oversight proved costly. The database file (files.db) can be directly modified by any user with network access to the shared USB drive because the MiniDLNA configuration file /tmp/minidlna.conf exposes the database path:

db_dir=/mnt/sda1/.TPDLNA

By altering the data in files.db, attackers can cause a buffer overflow, allowing them to execute code on the router.

The exploit occurs when the DLNA processing function copies metadata fields to a fixed-size buffer. If a crafted dlna_pn (DLNA profile name) exceeds this size, it overwrites the stack memory.

As Calvi explains, “If the dlna_pn variable contains more characters than the buffer can hold, it will cause a stack-based buffer overflow, allowing an attacker to overwrite the stack and potentially execute arbitrary code on the router.”

The attacker can then chain this overflow into return-oriented programming (ROP) to bypass security mitigations such as ASLR (Address Space Layout Randomization) and NX (No-eXecute).

“To overcome the exploit mitigations of ASLR and the NX bit, as well as the null byte restriction imposed by sprintf, we found a one gadget that allowed us to redirect execution to a single instruction despite the null byte limitation.”

The analysis highlights the use of a “one gadget” technique that redirects execution flow to the system() function within the router’s firmware, effectively granting command-line access to the attacker as root:

00015ed4 06 0d 8d e2 add r0,sp,#0x180
00015ed8 cb f6 ff eb bl <EXTERNAL>::system int system(char * __command)

Once successful, the attacker gains full control over the router, enabling command execution, data exfiltration, or lateral movement within the home network.

The research team develop a proof-of-concept exploit to show the vulnerability at the Pwn2Own competition, where exploits are demonstrated responsibly. They successfully gained remote access to the router.

TP-Link has fixed a reported issue in firmware version Archer AX20(EU)_V3_1.1.4 Build 20230219. Users of the affected routers should upgrade right away. Find the latest firmware and instructions here.

Check Also

SharePoint

CISA KEV Adds SharePoint RCE CVE-2026-45659 After Active Exploits

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a serious problem affecting Microsoft SharePoint …