TP-Link’s Archer AX21 (also called AX180) is a popular consumer-grade WiFi 6 router. But if you own one and haven’t updated the firmware since early 2023, read on carefully. A critical flaw labeled CVE-2023-1389 exposes countless devices to full remote takeover by hackers—no password or user account needed.
Below, we break down what went wrong, how the vulnerability works, and what you can do right now to stay safe.
What is CVE-2023-1389?
CVE-2023-1389 is a command injection vulnerability found in the web management interface of the TP-Link Archer AX21 router. In firmware versions before 1.1.4 Build 20230219, the router fails to properly validate a field called country when it’s sent to a specific web address (/cgi-bin/luci;stok=/locale). This allows anyone on your network—or, in some rare cases, even from the internet—to run system commands as root, the most powerful access on the device.
Severity: 9.8/10 (Critical)
Attack Vector: Network (Unauthenticated remote)
How Does the Vulnerability Work?
The Archer AX21 router has a management web interface. One of its “forms” lets users set localization information (like country/language). When processing the “change country” request, the router takes whatever value you send in the country field and puts it directly into a system shell command—without any checks to see if it’s just a country name (like US or CN).
The problem: The router runs this shell command as root, so any code injected via the country field gets executed with full system privileges.
Let’s look at a simplified version of the vulnerable code
// Pseudocode based on firmware analysis
char cmd[256];
snprintf(cmd, sizeof(cmd), "set_country %s", request.country);
popen(cmd, "r"); // Runs the command as root
Since request.country comes directly from the web request, any special characters (like ;) can end the intended command and start a new one.
Real-World Exploitation: Example Attack
Attackers can exploit this bug with a simple unauthenticated POST request.
Here’s a minimal example using the command injection to run ls (list directory contents)
POST /cgi-bin/luci;stok=/locale HTTP/1.1
Host: 192.168..1
Content-Type: application/x-www-form-urlencoded
Content-Length: [XX]
operation=write&country=US;ls>/tmp/haxx;#
operation=write: This field triggers the “change country” logic.
- country=US;ls>/tmp/haxx;#: The semicolon (;) closes the set_country command. Then, ls is run, and its output goes to /tmp/haxx. The # comments out anything else on the line.
- The response may not show you the output, but if you run another command to get the contents of /tmp/haxx, you’ll see the directory listing.
To run more destructive commands or gain a persistent shell, an attacker just sends more complex payloads in the same field.
Fixes and Vendor Response
TP-Link has released a security update that closes the hole by properly validating and sanitizing the country field.
- TP-Link Security Advisory for CVE-2023-1389
- Firmware Download Page (choose your hardware version!)
How To Protect Yourself
1. Update ASAP: Log into your Archer AX21 web interface, go to the update section, and upgrade to the latest firmware.
2. Disable Remote Management: If you don’t need to manage your router from outside your home, turn off “Remote Management” or “Remote Access.”
3. Change Default Passwords: Even though this bug didn’t need a password, always use strong, unique admin credentials.
4. Segment Your Network: Consider using guest networks and limit what devices can access your main router admin page.
More Technical Resources
- Original Vulnerability Report on GitHub
- CERT/CC Note on the Issue
- Proof-of-Concept Exploit Script (archived)
Conclusion
CVE-2023-1389 shows how a single unchecked form field can open your home or small business to serious risks. If you run a TP-Link Archer AX21, check your firmware and update as soon as you can. And as always—never leave your router management interface open to the world.
Timeline
Published on: 03/15/2023 23:15:00 UTC
Last modified on: 03/21/2023 19:31:00 UTC