CVE-2024-57049
Published: 18 February 2025
Summary
CVE-2024-57049 is a critical-severity Improper Authentication (CWE-287) vulnerability in Tp-Link Archer C20 Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 3.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations for access to CGI interfaces, directly preventing authentication bypass via manipulated Referer headers.
Validates and sanitizes HTTP request inputs including Referer headers to block their exploitation for unauthorized access.
Limits and documents permitted actions without authentication, mitigating risks from interfaces vulnerable to improper auth checks.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables authentication bypass on the TP-Link Archer C20 router's public-facing web (/cgi) interfaces via Referer header manipulation, facilitating exploitation of a public-facing application for initial access.
NVD Description
A vulnerability in the TP-Link Archer c20 router with firmware version V6.6_230412 and earlier permits unauthorized individuals to bypass the authentication of some interfaces under the /cgi directory. When adding Referer: http://tplinkwifi.net to the the request, it will be recognized…
more
as passing the authentication. NOTE: this is disputed by the Supplier because the response to the API call is only "non-sensitive UI initialization variables."
Deeper analysisAI
CVE-2024-57049 is an authentication bypass vulnerability (CWE-287) affecting the TP-Link Archer C20 router with firmware version V6.6_230412 and earlier. The issue resides in certain interfaces under the /cgi directory, where adding a Referer header set to http://tplinkwifi.net in requests tricks the router into treating the request as authenticated.
Any unauthenticated attacker with network access to the router can exploit this vulnerability with low complexity and no user interaction required, as indicated by its CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Exploitation grants access to the affected interfaces, potentially enabling high-impact compromise of confidentiality, integrity, and availability.
The vulnerability is documented in a GitHub repository detailing the ACL bypass, but the supplier disputes its severity, stating that API responses contain only non-sensitive UI initialization variables. No patches or specific mitigations are mentioned in available advisories.
Details
- CWE(s)