← Back

CVE-2023-44447

nvd nist
Published: May 3, 2024Modified: Sep 4, 2025

JSON object

Loading...
6.5
Vector
CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Exploitability: 2.8 / Impact: 3.6
Source: zdi-disclosures@trendmicro.com (Secondary)

Description

TP-Link TL-WR902AC loginFs Improper Authentication Information Disclosure Vulnerability. This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of TP-Link TL-WR902AC routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the httpd service, which listens on TCP port 80 by default. The issue results from improper authentication. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-21529.

Affected (2)

Tp Link
1 product
Tl Wr902ac Firmware
Configuration A
2 vulnerable · 1 platform
Vulnerable SoftwareAffected Versions
Tp Link
Tl Wr902ac Firmware
Version 231025
Tl Wr902ac Firmware
Version 231027
Running on/withPlatform Versions
Tp Link
Tl Wr902ac
Version 1

Related CWEs

CWE-290
Authentication Bypass by Spoofing
This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.

References (2)

Source: zdi-disclosures@trendmicro.com
Third Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory

Timeline

No history available yet.