Cyber Resilience

CVE-2024-57049

CriticalPublic PoC

Published: 18 February 2025

Published
18 February 2025
Modified
12 February 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.3460 97.1th percentile
Risk Priority 40 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-57049 is a critical-severity Improper Authentication (CWE-287) vulnerability in Tp-Link Archer C20 Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 2.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

A vulnerability in the TP-Link Archer C20 router running firmware V6.6_230412 and earlier permits authentication bypass on certain interfaces under the /cgi directory. An unauthenticated remote attacker can gain access simply by supplying the HTTP Referer header value http://tplinkwifi.net in requests to the affected endpoints. The issue is tracked as CWE-287 and carries a CVSS 3.1 base score of 9.8.

An attacker with network access to the router's management interface can exploit the flaw without credentials or user interaction, potentially retrieving or manipulating configuration data exposed by the bypassed interfaces. The vendor disputes the finding, stating that the affected API responses contain only non-sensitive UI initialization variables rather than privileged information.

The public disclosure at the referenced GitHub repository describes the bypass technique in detail. No vendor patch or mitigation guidance has been issued in the available references.

EPSS for the CVE rose from a low baseline to a peak of 0.4878 (current value 0.3460), indicating that exploitation interest increased after public disclosure.

EU & UK References

Vulnerability details

A vulnerability in the TP-Link Archer c20 router with firmware version V6.6_230412 and earlier permits unauthorized individuals to bypass the authentication of some interfaces under the /cgi directory. When adding Referer: http://tplinkwifi.net to the the request, it will be recognized…

more

as passing the authentication. NOTE: this is disputed by the Supplier because the response to the API call is only "non-sensitive UI initialization variables."

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability enables authentication bypass on the TP-Link Archer C20 router's public-facing web (/cgi) interfaces via Referer header manipulation, facilitating exploitation of a public-facing application for initial access.

CVEs Like This One

CVE-2026-34121Same vendor: Tp-Link
CVE-2026-0834Same product: Tp-Link Archer C20
CVE-2025-15517Same vendor: Tp-Link
CVE-2025-9292Same vendor: Tp-Link
CVE-2026-1668Same vendor: Tp-Link
CVE-2025-25897Same vendor: Tp-Link
CVE-2025-71279Shared CWE-287
CVE-2024-13804Shared CWE-287
CVE-2026-5509Same vendor: Tp-Link
CVE-2024-57046Shared CWE-287

Affected Assets

tp-link
archer c20 firmware
6.6_230412

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations for access to CGI interfaces, directly preventing authentication bypass via manipulated Referer headers.

prevent

Validates and sanitizes HTTP request inputs including Referer headers to block their exploitation for unauthorized access.

prevent

Limits and documents permitted actions without authentication, mitigating risks from interfaces vulnerable to improper auth checks.

References