CVE-2015-3035
Published: 22 April 2015
Summary
CVE-2015-3035 is a high-severity Path Traversal (CWE-22) vulnerability in Tp-Link Tl-Wr841N Firmware. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 0.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2015-3035 is a directory traversal vulnerability (CWE-22) affecting multiple TP-LINK router models, including the Archer C5 (v1.2) with firmware prior to 150317, Archer C7 (v2.0) prior to 150304, Archer C8 (v1.0) prior to 150316, Archer C9 (v1.0), TL-WDR3500/3600/4300 (v1.0) prior to 150302, TL-WR740N/741ND (v5.0) prior to 150312, and TL-WR841N/ND (v9.0/10.0) prior to 150310. The flaw resides in the handling of the login/ endpoint, where a path traversal sequence in PATH_INFO permits access to files outside the intended web root.
Unauthenticated remote attackers can exploit the issue over the network by supplying crafted requests containing dot-dot sequences, resulting in disclosure of arbitrary files stored on the device with high confidentiality impact and no requirement for authentication or user interaction.
Vendor firmware updates addressing the affected models are referenced in the TP-LINK download archives and public disclosures on Packet Storm and Full Disclosure lists; applying the listed firmware revisions (such as 150317 for Archer C5) eliminates the traversal vector. No details on in-the-wild exploitation are provided in the source references.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2015-3116
Vulnerability details
Directory traversal vulnerability in TP-LINK Archer C5 (1.2) with firmware before 150317, C7 (2.0) with firmware before 150304, and C8 (1.0) with firmware before 150316, Archer C9 (1.0), TL-WDR3500 (1.0), TL-WDR3600 (1.0), and TL-WDR4300 (1.0) with firmware before 150302, TL-WR740N…
more
(5.0) and TL-WR741ND (5.0) with firmware before 150312, and TL-WR841N (9.0), TL-WR841N (10.0), TL-WR841ND (9.0), and TL-WR841ND (10.0) with firmware before 150310 allows remote attackers to read arbitrary files via a .. (dot dot) in the PATH_INFO to login/.
- CWE(s)
- KEV Date Added
- 25 March 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly blocks the dot-dot PATH_INFO sequences that enable the directory traversal on the login/ endpoint.
Enforces access restrictions so unauthenticated requests cannot read arbitrary files outside the web root.
Requires timely application of the vendor firmware revisions that close the traversal vector in the affected TP-LINK models.