CVE-2024-57049
Published: 18 February 2025
Summary
CVE-2024-57049 is a critical-severity Improper Authentication (CWE-287) vulnerability in Tp-Link Archer C20 Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 2.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
A vulnerability in the TP-Link Archer C20 router running firmware V6.6_230412 and earlier permits authentication bypass on certain interfaces under the /cgi directory. An unauthenticated remote attacker can gain access simply by supplying the HTTP Referer header value http://tplinkwifi.net in requests to the affected endpoints. The issue is tracked as CWE-287 and carries a CVSS 3.1 base score of 9.8.
An attacker with network access to the router's management interface can exploit the flaw without credentials or user interaction, potentially retrieving or manipulating configuration data exposed by the bypassed interfaces. The vendor disputes the finding, stating that the affected API responses contain only non-sensitive UI initialization variables rather than privileged information.
The public disclosure at the referenced GitHub repository describes the bypass technique in detail. No vendor patch or mitigation guidance has been issued in the available references.
EPSS for the CVE rose from a low baseline to a peak of 0.4878 (current value 0.3460), indicating that exploitation interest increased after public disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-4696
Vulnerability details
A vulnerability in the TP-Link Archer c20 router with firmware version V6.6_230412 and earlier permits unauthorized individuals to bypass the authentication of some interfaces under the /cgi directory. When adding Referer: http://tplinkwifi.net to the the request, it will be recognized…
more
as passing the authentication. NOTE: this is disputed by the Supplier because the response to the API call is only "non-sensitive UI initialization variables."
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables authentication bypass on the TP-Link Archer C20 router's public-facing web (/cgi) interfaces via Referer header manipulation, facilitating exploitation of a public-facing application for initial access.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces approved authorizations for access to CGI interfaces, directly preventing authentication bypass via manipulated Referer headers.
Validates and sanitizes HTTP request inputs including Referer headers to block their exploitation for unauthorized access.
Limits and documents permitted actions without authentication, mitigating risks from interfaces vulnerable to improper auth checks.