Researchers report hardcoded root credentials in TP-Link TL-WR845N routers
Take action: If you are running a TP-Link TL-WR845N router, make sure to reset the admin password to a long and complex password, and to limit physical access to the device and restrict access to SSH/Telnet. At this moment there is no patch for this flaw, so mitigation is your only option.
Learn More
Security researchers from the IoT Security Research Lab at the Indian Institute of Information Technology in Allahabad has discovered a severe security vulnerability in TP-Link TL-WR845N routers.
This flaw exposes hardcoded root shell credentials stored within the router's firmware files, potentially allowing attackers to gain complete control over affected devices.
The vulnerability, tracked as CVE-2024-57040 (CVSS score 9.8), stems from MD5-hashed root passwords stored in plaintext within publicly accessible firmware files. These credentials are located in two specific locations within the firmware:
- "squashfs-root/etc/passwd"
- "squashfs-root/etc/passwd.bak"
The exposed hardcoded root password can be easily cracked to reveal "1234" while the root username appears in plaintext as "admin."
All known firmware versions of the TP-Link TL-WR845N router are affected, including:
- TL-WR845N(UN)_V4_190219
- TL-WR845N(UN)_V4_200909
- TL-WR845N(UN)_V4_201214
Attackers can obtain the router's firmware through two primary methods:
- Physical access to extract the SPI Flash memory directly from the device
- Downloading the firmware from TP-Link's official website, as all firmware versions contain the same vulnerability
Once obtained, the firmware can be analyzed using tools like Binwalk or specialized firmware auditing software to extract the file system. Commands as simple as cat passwd or cat passwd.bak reveal the credentials needed to gain root access.
To verify the exploit, attackers can access the root shell via UART port communication using the login command and entering the discovered credentials, granting them complete administrative control over the device
Attackers can modify firmware, install persistent backdoors, and intercept all network traffic passing through the router. Once inside the router, attackers can establish a foothold to target other devices on the same network. If combined with other vulnerabilities like authentication bypass flaws (similar to those found in related models such as TL-WR840N and TL-WR841N), attackers could potentially execute these attacks remotely
As TP-Link has not yet released a security patch addressing CVE-2024-57040, users of affected routers should
- Modify the admin password to a strong, unique alternative
- Secure the router's physical location to prevent tampering and SPI flash extractions
- Block unnecessary remote access interfaces like SSH/Telnet
