CVE-2020-24363
Published: 31 August 2020
Summary
CVE-2020-24363 is a high-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Tp-Link Tl-Wa855Re Firmware. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 6.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-14 (Permitted Actions Without Identification or Authentication).
Deeper analysis
The vulnerability tracked as CVE-2020-24363 affects TP-Link TL-WA855RE V5 devices running firmware version 20200415-rel37464. It stems from missing authentication for a critical function (CWE-306), allowing an unauthenticated actor on the local network to issue a TDDP_RESET POST request that forces a factory reset and reboot of the device.
An attacker positioned on the same network can exploit the flaw without credentials to reset the extender, after which they can configure a new administrative password and obtain full management access. The issue carries a CVSS 3.1 base score of 8.8 with an attack vector of adjacent network, low complexity, and no required privileges or user interaction.
Public references include a technical advisory and proof-of-concept material at malwrforensics.com along with TP-Link's firmware download page for the TL-WA855RE model; no additional mitigation details are supplied in the CVE record itself.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2020-17095
Vulnerability details
TP-Link TL-WA855RE V5 20200415-rel37464 devices allow an unauthenticated attacker (on the same network) to submit a TDDP_RESET POST request for a factory reset and reboot. The attacker can then obtain incorrect access control by setting a new administrative password.
- CWE(s)
- KEV Date Added
- 02 September 2025
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authentication and authorization checks before permitting any critical function such as TDDP_RESET.
Requires explicit identification of actions that may be performed without identification or authentication, preventing the reset operation from being exposed.
Mandates identification and authentication of system services before access, blocking unauthenticated use of the reset endpoint.