CVE-2024-57357

High

Published: 07 February 2025

Published

07 February 2025

Modified

03 July 2025

KEV Added

—

Patch

—

CVSS Score 8.0 CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.1220 93.9th percentile

Risk Priority 23 60% EPSS · 20% KEV · 20% CVSS

Description

An issue in TPLINK TL-WPA 8630 TL-WPA8630(US)_V2_2.0.4 Build 20230427 allows a remote attacker to execute arbitrary code via function sub_4256CC, which allows command injection by injecting 'devpwd'.

Security Summary

CVE-2024-57357 is a command injection vulnerability (CWE-78) affecting the TP-Link TL-WPA8630(US)_V2_2.0.4 Build 20230427 firmware on the TL-WPA 8630 powerline adapter. The issue resides in the function sub_4256CC, which enables a remote attacker to execute arbitrary code by injecting the 'devpwd' parameter.

According to its CVSS v3.1 base score of 8.0 (AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), the vulnerability can be exploited by an attacker with adjacent network access and low privileges. No user interaction is required, allowing the attacker to achieve high impacts on confidentiality, integrity, and availability through remote code execution.

Details on the vulnerability, including exploit information, are documented in the GitHub repository at https://github.com/c10uds/tplink-wpa8630-rce-vulnerability. No official patch or mitigation guidance from the vendor is specified in available references.

Details

CWE(s): CWE-78

Affected Products

tp-link

tl-wpa8630 firmware

2.0.4

References

https://github.com/c10uds/tplink-wpa8630-rce-vulnerability
Broken Link · cve@mitre.org
https://github.com/c10uds/tplink-wpa8630-rce-vulnerability
Broken Link · 134c704f-9b21-4f2e-91b3-4a467353bcc0