CVE-2022-41540
Severity CVSS v4.0:
Pending analysis
Type:
CWE-798
Use of Hard-coded Credentials
Publication date:
18/10/2022
Last modified:
15/05/2025
Description
The web app client of TP-Link AX10v1 V1_211117 uses hard-coded cryptographic keys when communicating with the router. Attackers who are able to intercept the communications between the web client and router through a man-in-the-middle attack can then obtain the sequence key via a brute-force attack, and access sensitive information.
Impact
Base Score 3.x
5.90
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:tp-link:ax10_firmware:v1_211117:*:*:*:*:*:*:* | ||
| cpe:2.3:h:tp-link:ax10:1.0:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://github.com/efchatz/easy-exploits/tree/main/Web/TP-Link/Offline-decryption
- https://www.tp-link.com/us/support/download/archer-ax10/v1/#Firmware
- https://github.com/efchatz/easy-exploits/tree/main/Web/TP-Link/Offline-decryption
- https://www.tp-link.com/us/support/download/archer-ax10/v1/#Firmware