Authenticated RCE in TP-Link Archer HomeShield tmp_get_sites
An authenticated remote code execution (RCE) vulnerability in the TP-Link Archer router series exists in the HomeShield component’s "tmp_get_sites" function. The issue is reported to remain exploitable even when the HomeShield functionality is not activated.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Exploits
1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos.
This repository contains a working exploit for CVE-2024-53375, a command injection vulnerability affecting TP-Link Archer series routers with HomeShield functionality. The exploit is implemented in a single Python script (archer.py), which authenticates to the router's web interface, establishes a session, and sends a crafted POST request to the vulnerable endpoint (/admin/smart_network?form=tmp_avira). The exploit leverages improper input sanitization in the 'ownerId' parameter, allowing arbitrary OS command execution as root. The script supports custom command injection via a command-line argument and demonstrates the ability to extract sensitive files such as /etc/shadow and /etc/passwd. The README provides technical details, affected device information, and a timeline of disclosure. The attack vector is network-based but requires valid credentials (authenticated access). The repository is well-structured, with clear separation between documentation and exploit code.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A command injection vulnerability affecting TP-Link Archer AXE75 that is being exploited by the ShadowV2 Mirai-based botnet to compromise devices and conduct DDoS attacks.
A vulnerability in TP-Link IoT devices exploited by the ShadowV2 botnet for infection and DDoS attacks.
A vulnerability in TP-Link devices exploited by Mirai-based botnets to compromise IoT devices for DDoS attacks.
A vulnerability in TP-Link devices exploited by the ShadowV2 botnet for IoT device compromise.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.