Cybersecurity specialists report the detection of two critical vulnerabilities in some router models manufactured by the technology firm TP-Link. According to the report, successful exploitation of these flaws would allow threat actors to deploy all kinds of attacks against vulnerable systems.
Below are brief descriptions of the reported flaws, in addition to their respective tracking keys and scores according to the Common Vulnerability Scoring System (CVSS).
CVE-2021-35004: A boundary error within the handling of DNS responses for TP-Link TL-WA1201 routers would allow remote non-authenticated threat actors to send specially crafted DNS messages, thus triggering a stack-based overflow and running arbitrary code on the affected system.
This is a medium-severity flaw that received a CVSS score of 7.7/10 and resides in all versions of the affected router below v2.
CVE-2021-35003: On the other hand, a boundary error within the handling of DNS responses for TP-Link Archer C90 routers would allow malicious remote hackers to send specially crafted DNS messages and run arbitrary code on the affected system.
The vulnerability received a CVSS score of 8.5/10 and resides in all versions of Archer C90 routers below v6.
While both flaws can be exploited by unauthenticated remote threat actors, cybersecurity experts have not detected active exploitation attempts related to these reports. Still, TP-Link recommends users of affected deployments upgrade as soon as possible.
To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.
He is a well-known expert in mobile security and malware analysis. He studied Computer Science at NYU and started working as a cyber security analyst in 2003. He is actively working as an anti-malware expert. He also worked for security companies like Kaspersky Lab. His everyday job includes researching about new malware and cyber security incidents. Also he has deep level of knowledge in mobile security and mobile vulnerabilities.