TP-Link’s SR20 Smart Home Router is impacted by a zero-day arbitrary code execution (ACE) vulnerability which allows potential attackers on the same network to execute arbitrary commands as disclosed on Twitter by Google security developer Matthew Garrett.
Garrett disclosed the ACE 0-day after TP-Link did not provide a response during the 90 days since his report and, as he explained in the Twitter thread, the zero-day stems from the fact that “TP-Link routers frequently run a process called “tddp” (TP-Link Device Debug Protocol) as root” which has been previously found to contain multiple other vulnerabilities.
Source: Bleeping Computer
