Multiple TP-Link products vulnerable to OS command injection


Multiple products provided by TP-LINK contains an OS command injection vulnerability (CWE-78) related to the backup/restore function.

Chuya Hayakawa of 00One, Inc. reported this vulnerability to JPCERT/CC.
JPCERT/CC coordinated with the developer.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 6.8 (Medium) [Other]
  • Attack Vector: Adjacent Network
  • Attack Complexity: Low
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
Affected Products

TP-LINK Technologies
  • Archer Air R5 firmware versions prior to "Archer Air R5(JP)_V1_1.1.6 Build 20240508"
  • Archer AX3000 firmware versions prior to "Archer AX3000(JP)_V1_1.1.3 Build 20240415"
  • Archer AX5400 firmware versions prior to "Archer AX5400(JP)_V1_1.1.4 Build 20240429"
  • Archer AXE5400 firmware versions prior to "Archer AXE5400(JP)_V1_1.0.3 Build 20240319"
  • Archer AXE75 firmware versions prior to "Archer AXE75(JP)_V1_1.2.0 Build 20240320"


A user who logs in to the affected device may execute an arbitrary OS command by restoring a crafted backup file.
The affected device, with the initial configuration, allows login only from the LAN port or Wi-Fi.

[Update the Firmware]
Update the firmware to the latest version according to the information provided by the developer.
Vendor Information

TP-LINK Technologies
CWE (What is CWE?)

  1. OS Command Injection(CWE-78) [Other]
CVE (What is CVE?)

  1. CVE-2024-38471

  1. JVN : JVNVU#99784493
Revision History

  • [2024/06/28]
      Web page was published