Cyber Resilience

CVE-2020-24363

HighCISA KEVActive ExploitationEUVD Exploited

Published: 31 August 2020

Published
31 August 2020
Modified
07 November 2025
KEV Added
02 September 2025
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.1137 93.7th percentile
Risk Priority 44 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2020-24363 is a high-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Tp-Link Tl-Wa855Re Firmware. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 6.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-14 (Permitted Actions Without Identification or Authentication).

Deeper analysis

The vulnerability tracked as CVE-2020-24363 affects TP-Link TL-WA855RE V5 devices running firmware version 20200415-rel37464. It stems from missing authentication for a critical function (CWE-306), allowing an unauthenticated actor on the local network to issue a TDDP_RESET POST request that forces a factory reset and reboot of the device.

An attacker positioned on the same network can exploit the flaw without credentials to reset the extender, after which they can configure a new administrative password and obtain full management access. The issue carries a CVSS 3.1 base score of 8.8 with an attack vector of adjacent network, low complexity, and no required privileges or user interaction.

Public references include a technical advisory and proof-of-concept material at malwrforensics.com along with TP-Link's firmware download page for the TL-WA855RE model; no additional mitigation details are supplied in the CVE record itself.

EU & UK References

Vulnerability details

TP-Link TL-WA855RE V5 20200415-rel37464 devices allow an unauthenticated attacker (on the same network) to submit a TDDP_RESET POST request for a factory reset and reboot. The attacker can then obtain incorrect access control by setting a new administrative password.

CWE(s)
KEV Date Added
02 September 2025

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

tp-link
tl-wa855re firmware
≤ 200731

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authentication and authorization checks before permitting any critical function such as TDDP_RESET.

prevent

Requires explicit identification of actions that may be performed without identification or authentication, preventing the reset operation from being exposed.

prevent

Mandates identification and authentication of system services before access, blocking unauthenticated use of the reset endpoint.

References