TP-Link SR20 Router Vulnerability Disclosed by Google Researcher After No Response From Company

Advertisement
By Tasneem Akolawala | Updated: 29 March 2019 14:16 IST
Highlights
  • Google researcher told TP-Link of this issue in December
  • He got no response from the company, his tweet was also ignored
  • He then published the TP-Link SR20 router vulnerability online

TP-Link vulnerability exposes type 1 commands for attackers to exploit

According to Google security researcher Matthew Garrett, TP-Link's SR20 Smart Home Router comes with a vulnerability that allows arbitrary command execution from a local network connection. This exploit was disclosed by the researcher after he was unable to solicit a response from TP-Link, and even published a proof-of-concept to demonstrate the vulnerability. The router, which was launched in 2016, exposes a number of commands that come with root privileges and does not even require authentication. Garrett disclosed the proof-of-concept, after waiting for the Google Project Zero team's 90-day deadline for disclosure to elapse.

Garrett took to Twitter to explain that the TP Link SR20 Smart Home Router comes with TDDP (TP-Link Device Debug Protocol), which is affected with several vulnerabilities, and one of them is that version 1 commands are exposed for attackers to exploit.

Advertisement

He says that these exposed commands allow attackers to send a command containing a filename, a semicolon, to execute the process. “This connects back to the machine that sent the command and attempts to download a file via TFTP (Trivial File Transfer Protocol) corresponding to the filename it sent. The main TDDP process waits up to four seconds for the file to appear - once it does, it loads the file into a Lua interpreter it initialised earlier, and calls the function config_test() with the name of the config file and the remote address as arguments. Since config_test() is provided by the file that was downloaded from the remote machine, this gives arbitrary code execution in the interpreter, which includes the os.execute method which just runs commands on the host. Since TDDP is running as root, you get arbitrary command execution as root,” he explains on the blog.

This process allows for full takeover of the SR20 router. Garett says he reported to TP-Link of this vulnerability in December, via its security disclosure form. The page told him that he would get a response within three days, but hasn't heard back from them till date. He also said that he tweeted at TP-Link regarding the matter, but that garnered no response either.

Advertisement

He ends by suggesting to the company, “Don't default to running debug daemons on production firmware”, and, “If you're going to have a security disclosure form, read it.”

 

Get your daily dose of tech news, reviews, and insights, in under 80 characters on Gadgets 360 Turbo. Connect with fellow tech lovers on our Forum. Follow us on X, Facebook, WhatsApp, Threads and Google News for instant updates. Catch all the action on our YouTube channel.

Further reading: TP LInk, TP Link SR20 Router, Google
Advertisement

Related Stories

Popular Mobile Brands
  1. iPhone 18 Pro Max Could Get a New Sony Sensor With Variable Aperture Tech
  2. OnePlus Exits US, Europe, Continues Operations in India: 5 Things to Know
  3. Lenovo Legion C700 Confirmed to Launch in August With 120Hz IPS Display
  4. Insomniac Games Shares New Trailer for Marvel's Wolverine
  5. Here's How Much the iQOO Z11 Lite Could Cost in India
  6. Airtel Revises Postpaid Portfolio, Removes Rs. 549 Individual Plan
  7. Here's When the Poco M8 Power, Poco X8 Could Launch in India
  8. Oppo K15 Launch Date Confirmed; Key Specifications Revealed Ahead of Debut
  9. Tecno Camon 50 Ultra 5G With a 6,500mAh Battery Debuts in India: See Price
  1. Airtel Unlimited 5G Data Subscribers Cannot Share 5G Data via Mobile Hotspot, Company Confirms
  2. Lenovo Legion C700 Teased as a Cloud Gaming Handheld Ahead of August Launch
  3. Marvel's Wolverine Gets New Trailer That Will Play Ahead of Christopher Nolan's The Odyssey in Select Theatres
  4. Airtel Quietly Removes Rs. 549 Individual Postpaid Plan in India; Rs. 699 Plan Becomes Next Upgrade
  5. Poco M8 Power, Poco X8 India Launch Timeline Tipped; Could Arrive as Rebranded Redmi Note 17 Series
  6. Samsung Galaxy S25 Series Could Get Galaxy S26’s Horizontal Lock Camera Feature With One UI 9 Update
  7. Asus Pad India Launch Date Announced as Company Reveals Key Specifications
  8. iPhone 18 Pro Max Diagnostics Log Reportedly Reveals Variable Aperture Camera, Sony Sensor Upgrade
  9. Vivo X500 Ultra Leak Suggests Three 200-Megapixel Telephoto Sensors Under Testing
  10. iQOO Z11 Lite Price Range in India, Key Specifications Revealed Ahead of Official Launch
Download Our Apps
Available in Hindi
© Copyright Red Pixels Ventures Limited 2026. All rights reserved.