Tp-Link Archer AX53 v1.0 dnsmasq configuration restore TFTP server enable vulnerability

CVE-2026-30817

An external config control vulnerability exists in the Openvpn configuration restore route_up functionality of Tp-Link Archer AX53 v1.0 1.3.1 Build 20241120 rel.54901(5553). A specially crafted configuration value can lead to arbitrary file reading. An attacker can upload a malicious file to trigger this vulnerability.

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Tp-Link Archer AX53 v1.0 1.3.1 Build 20241120 rel.54901(5553)

Archer AX53 v1.0 – https://www.tp-link.com/my/support/download/archer-ax53/

6.8 – CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

CWE-73 – External Control of File Name or Path

The TP-Link Archer AX53 AX3000 Dual Band Gigabit Wi-Fi 6 Router is currently among the most popular routers sold online, and boasts impressive gigabit speeds for the price. This router also features remote cloud access via the TP-Link HomeShield application and smart home functionality.

A long existing feature of TP-Link routers and most routers in general is the ability to backup the router configuration into a file which can then be reuploaded to the device to restore the router to a particular operational state. On the TP-Link AX3000, this functionality is accessed via the Web GUI by navigating to the ‘Advanced > System’ menu. Upon hitting the ‘Back Up’ button, the browser will download a file called ArcherAX53v120241120131n.bin. As described in a previously disclosed vulnerability on an older model of TP-Link routers https://github.com/aaronsvk/CVE-2022-30075 , this binary blob must first be decrypted with a static AES key and IV, then unpacked as a GZIP archive. After this, one must unpack the resulting tar file to get two resulting files: `ori-backup-user-config.bin` and `ori-backup-certificate.bin` with actual contents. We then unpack these two files in the same exact manner, first decrypting with the same AES key and IV and unpacking decrypted binary as a gzip file. For `ori-backup-user-config.bin` we end up with a `config.xml` file that is human readable. This configuration xml can be editied and then repacked with a reverse of the process to manually change the configuration of the device.

Among the different configuration options, there exist some that are parsed by `/etc/init.d/` startup scripts, and for the purposes of this writeup we only care to look at `/etc/init.d/dnsmasq`:

“`
dnsmasq() { local cfg=”$1″ append_bool “$cfg” authoritative “–dhcp-authoritative” append_bool “$cfg” nodaemon “–no-daemon” append_bool “$cfg” domainneeded “–domain-needed” append_bool “$cfg” filterwin2k “–filterwin2k” append_bool “$cfg” nohosts “–no-hosts” append_bool “$cfg” nonegcache “–no-negcache” append_bool “$cfg” strictorder “–strict-order” append_bool “$cfg” logqueries “–log-queries” append_bool “$cfg” noresolv “–no-resolv” append_bool “$cfg” localise_queries “–localise-queries” append_bool “$cfg” readethers “–read-ethers” append_bool “$cfg” dbus “–enable-dbus” append_bool “$cfg” boguspriv “–bogus-priv” append_bool “$cfg” expandhosts “–expand-hosts” append_bool “$cfg” enable_tftp “–enable-tftp” // [1] append_bool “$cfg” nonwildcard “–bind-interfaces” append_bool “$cfg” fqdn “–dhcp-fqdn” append_parm “$cfg” dhcpscript “–dhcp-script” // […] append_parm “$cfg” “tftp_root” “–tftp-root” // [2] // […] config_get_bool readethers “$cfg” readethers [ “$readethers” = “1” -a ! -e “/etc/ethers” ] && touch /etc/ethers echo >> $CONFIGFILE }
“`

This init script parses our uploaded configuration, searching for all of the above listed options among others. For this particular vulnerability we only care about setting the `–enable-tftp` flag and the `–tftp-root` parameter. First we provide a configuration with the following lines inside of the `…` tags:

“`
1 /
“`

Once uploaded and the device automatically reboots, dnsmasq will start up it’s internal TFTP server mainly used for network booting. While this TFTP server does not allow for any `PUT` commands, we can run `GET` commands most of the file system, resulting in reading of most files on the file system, assuming we know the path of the file that we want.

Vendor advisory: https://www.tp-link.com/us/support/faq/5055/

2026-01-12 – Vendor Disclosure

2026-04-08 – Vendor Patch Release

2026-05-07 – Public Release

Discovered by Lilith >_> of Cisco Talos.

Recent posts