A high-severity vulnerability exists in multiple TP-Link router products, including the Archer AX21 model. An unauthenticated attacker on the local network can exploit this flaw to execute arbitrary code with the highest privileges (root), allowing them to take complete control of the affected device. This could lead to network traffic interception, pivoting to other internal systems, or complete disruption of network services.

This vulnerability is a command injection flaw within the MiniDLNA service running on affected TP-Link routers. An unauthenticated attacker with access to the Local Area Network (LAN) can send a specially crafted request to the device. By manipulating the db_dir field in this request, the attacker can inject and execute arbitrary operating system commands, which are run with root-level permissions, granting them full administrative control over the router.

This vulnerability is rated as High severity with a CVSS score of 7.5. Successful exploitation would result in a complete compromise of the network perimeter device. An attacker could intercept, monitor, or redirect all internet traffic, leading to data theft of sensitive information. The compromised router could also be used as a pivot point to launch further attacks against other devices on the internal network, or be conscripted into a botnet for use in external attacks like Distributed Denial-of-Service (DDoS), causing reputational damage and potential service disruption.

Immediate Action: Apply the security updates provided by TP-Link to all affected devices immediately. After patching, review device access logs and system logs for any unusual activity or connections related to the minidlnad service that may indicate a prior compromise.

Proactive Monitoring: Monitor network traffic for unusual patterns originating from the router itself, such as connections to unknown external IP addresses. System administrators should check for unexpected processes, high CPU utilization, or unauthorized configuration changes on the device. Log analysis should focus on requests to the minidlnad service, specifically looking for malformed or suspicious values in the db_dir parameter.

Compensating Controls: If patching is not immediately possible, disable the DLNA Media Server feature via the router's web administration interface, as this will deactivate the vulnerable minidlnad service. Additionally, implement network segmentation to restrict access to the router's management interface and other services from non-essential parts of the network.

Public Exploit Available: true

Given the high severity (CVSS 7.5), root-level impact, and the availability of public exploit code, we recommend that organizations treat this vulnerability with high urgency. All affected TP-Link devices should be identified and patched immediately. Although this CVE is not currently listed on the CISA KEV list, its characteristics make it a prime target for attackers who have gained an initial foothold in a network. If patching cannot be performed, the recommended compensating controls, particularly disabling the DLNA service, must be implemented as a temporary measure.