Lucene search

[email protected]NVD:CVE-2022-41540

HistoryOct 18, 2022 - 3:15 p.m.

CVE-2022-41540

2022-10-1815:15:10

CWE-798

[email protected]

web.nvd.nist.gov

tp-link

ax10v1

cryptographic keys

man-in-the-middle

attack

sensitive information

CVSS3

5.9

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

44.2%

JSON

The web app client of TP-Link AX10v1 V1_211117 uses hard-coded cryptographic keys when communicating with the router. Attackers who are able to intercept the communications between the web client and router through a man-in-the-middle attack can then obtain the sequence key via a brute-force attack, and access sensitive information.

Affected configurations

Nvd

Node

tp-linkax10Match1.0

AND

tp-linkax10_firmwareMatchv1_211117

VendorProductVersionCPE
tp-linkax101.0cpe:2.3:h:tp-link:ax10:1.0:*:*:*:*:*:*:*
tp-linkax10_firmwarev1_211117cpe:2.3:o:tp-link:ax10_firmware:v1_211117:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
tp-link	ax10	1.0	cpe:2.3:h:tp-link:ax10:1.0:::::::*
tp-link	ax10_firmware	v1_211117	cpe:2.3:o:tp-link:ax10_firmware:v1_211117:::::::*

References

github.com/efchatz/easy-exploits/tree/main/Web/TP-Link/Offline-decryption

www.tp-link.com/us/support/download/archer-ax10/v1/#Firmware

CVSS3

5.9

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

44.2%

JSON

Related for NVD:CVE-2022-41540

prion1 cvelist1 cve1 githubexploit1