XSS Security Flaws on TP-Link Routers and APs with Public Exploit

A serious security flaw of type XSS has been discovered in several models of neutral routers, ADSL and access points of the manufacturer TP-Link. This vulnerability would allow injecting a malicious XSS payload from the hostname of the wireless clients that are connected to the TP-Link router, allowing remote attackers to execute malicious scripts, and all this without authenticating us on the computer, because TP-Link has not incorporated a successful validation on the host name. Do you want to know more about this serious security flaw that affects multiple TP-Link models?

What is an XSS vulnerability?

An XSS (Cross-site scripting) vulnerability is a very typical type of vulnerability in web applications that are poorly programmed, and their security has not been taken into account when programming or designing. This type of vulnerability could allow anyone to inject JavaScript code or another language into the device itself, allowing us to take full control of the device or execute the commands that we want.

XSS Security Flaws on TP-Link Routers and APs

XSS can also be used to steal sensitive information such as user credentials, hijack user sessions, completely compromise the attacked device, and much more. Normally these security flaws are not too serious if the system is authenticated first, but there are XSS flaws without authentication of any kind, therefore, any user could execute arbitrary commands on the devices, and this is exactly what has happened with various TP-Link equipment.

What exactly is the XSS vulnerability in TP-Links?

It has been discovered that malicious code could be injected via XSS through the hostname of WiFi client devices, allowing a remote attacker to execute malicious scripts without any authentication. This is due to improper hostname validation, furthermore, this function is present in many parts of the source code such as dhcp.htm, networkMap.htm, dhcpClient.htm, qsEdit.htm, qsReview.htm pages and also in others.

Due to this bad validation, an XSS would be caused in all the parts where the hostname of the connected devices is shown, such as in the WiFi client information table, the ARP table, and even in the DHCP. Therefore, this XSS security flaw is present in many parts of the TP-Link source code.

For example, the value of hostname only validates ASCII characters, while there is no validation on non-ASCII characters, making it possible to incorporate payload into the XSS. For example, if we put:


TP-Link computers will send this hostname value as plain text along with the IP address and MAC address in the initClientListTable function and also in other tables, using the same hostname value throughout the device.

Routers affected

Currently there are several models of routers, ADSL routers and also access points affected by this vulnerability, but it is not known if other models could also be affected. The vulnerable models are the following:

  • TD-W9977v1 (ADSL router)
  • TL-WA801NDv5 (access point)
  • TL-WA801Nv6 (access point)
  • TL-WA802Nv5 (access point)
  • Archer C3150v2 (neutral router)

Currently TP-Link has released new firmware versions that solve these problems for the affected models of access points, however, it seems that for the ADSL router and the neutral router an update will not be released because support is no longer supported ( EOL product) as indicated in the exploit of this vulnerability that is already public.

Taking into account the severity of this failure, it is recommended that you stop using the affected routers, because anyone connected to the network could inject commands via XSS. You will have to buy a new router because they are not releasing a new firmware to fix this security flaw that has been found.

Can I exploit this vulnerability in the router and check if I am affected?

Yes, the steps to perform are really easy to replicate. Currently TP-Link has released a firmware for these devices that solves this serious problem, but it is best to check if you are affected by this security flaw.

  1. Change the hostname of your WiFi or cable client to: «<script> alert (‘XSS’) </script>»
  2. Disconnect and reconnect to the router, so that it refreshes the hostname.
  3. Log in to the router, and go to DHCP options or in the list of connected WiFi clients.
  4. You will see the XSS payload that you just put.

As you can see, the attack starts on the client without the need to do anything more than change the host name, because TP-Link does not validate it in the firmware.

We recommend that you access 0day.exploit where you will find all the details of this security flaw, the identifier CVE-2021-3275 has been assigned to this vulnerability. It is already available on various vulnerability websites such as vuldb.com and we even have the information on GitHub . It is very likely that exploits to exploit this vulnerability will appear in the near future.