Vulnerability Details : CVE-2022-41540
The web app client of TP-Link AX10v1 V1_211117 uses hard-coded cryptographic keys when communicating with the router. Attackers who are able to intercept the communications between the web client and router through a man-in-the-middle attack can then obtain the sequence key via a brute-force attack, and access sensitive information.
Products affected by CVE-2022-41540
- cpe:2.3:o:tp-link:ax10_firmware:v1_211117:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-41540
0.11%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 44 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-41540
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.9
|
MEDIUM | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N |
2.2
|
3.6
|
NIST |
CWE ids for CVE-2022-41540
-
The product contains hard-coded credentials, such as a password or cryptographic key.Assigned by: nvd@nist.gov (Primary)
References for CVE-2022-41540
-
https://www.tp-link.com/us/support/download/archer-ax10/v1/#Firmware
Download for Archer AX10 | TP-LinkProduct;Vendor Advisory
-
https://github.com/efchatz/easy-exploits/tree/main/Web/TP-Link/Offline-decryption
easy-exploits/Web/TP-Link/Offline-decryption at main · efchatz/easy-exploits · GitHubExploit;Third Party Advisory
Jump to