Debugging shell with root privileges in routers TP-Link WR740
A range of TP-Link WR740 and related models ship with a hidden debug shell running as root. The credentials are hard-coded in the HTTP server binary and cannot be changed, giving attackers reliable root-level access from the local network or, in some cases, remotely.
CVSS Score
Severity
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Advisory
| Vendor | TP-Link |
| Models | WDR740N, WDR740ND, WR743ND, WR842ND, WA901ND, WR941N, WR941ND, WR1043ND, WR2543ND, MR3220, MR3020, WR841N |
| Firmware | 3.12.11 Build 111130 Rel.55312n and possibly others |
| Impact | Hidden debug shell running as root |
| Attack Vector | Local and remote |
Description
TP-Link WDR740ND / WDR740N routers ship with a hidden debugging shell running with root privileges. The username is hard-coded in the HTTP server binary and the password cannot be changed from the management interface, so the built-in credentials are effectively guaranteed to work on every unit.
Proof of Concept
Request the hidden shell page and authenticate with the built-in account:
URL: /userRpmNatDebugRpm26525557/linux_cmdline.html
User: osteam
Pass: 5upFrom this shell, an attacker can add malicious routing rules, modify configuration files, or pivot to the LAN.
Remediation
No vendor fix. Disable WAN-side HTTP administration; replace vulnerable devices.