CVE-2015-3035

HIGH KEV NUCLEI

TP-LINK Multiple Routers - Path Traversal via PATH_INFO

Title source: llm

Exploitation Summary

CVE-2015-3035 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added March 25, 2022. EIP tracks 1 public exploit, including a Metasploit module auxiliary/gather/tplink_archer_c7_traversal. A Nuclei detection template is also available.

AI-analyzed exploit summary This Metasploit module exploits a directory traversal vulnerability in TP-Link Archer C5, C7, and C9 routers via the PATH_INFO parameter in the /login/ endpoint. It retrieves arbitrary files from the device, such as /etc/passwd, by manipulating the URI path.

Description

Directory traversal vulnerability in TP-LINK Archer C5 (1.2) with firmware before 150317, C7 (2.0) with firmware before 150304, and C8 (1.0) with firmware before 150316, Archer C9 (1.0), TL-WDR3500 (1.0), TL-WDR3600 (1.0), and TL-WDR4300 (1.0) with firmware before 150302, TL-WR740N (5.0) and TL-WR741ND (5.0) with firmware before 150312, and TL-WR841N (9.0), TL-WR841N (10.0), TL-WR841ND (9.0), and TL-WR841ND (10.0) with firmware before 150310 allows remote attackers to read arbitrary files via a .. (dot dot) in the PATH_INFO to login/.

Exploits (1)

metasploit WORKING POC

rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/tplink_archer_c7_traversal.rb

View Code ZIP pw:eip

This Metasploit module exploits a directory traversal vulnerability in TP-Link Archer C5, C7, and C9 routers via the PATH_INFO parameter in the /login/ endpoint. It retrieves arbitrary files from the device, such as /etc/passwd, by manipulating the URI path.

Classification

Working Poc 100%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: TP-Link Archer C5, C7, C9 (various versions)

No auth needed

Prerequisites: Network access to the target device · Vulnerable firmware version

MITRE ATT&CK

T1006 - Direct Volume Access

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

TP-LINK - Local File Inclusion

HIGHVERIFIEDby 0x_Akoko

Shodan: http.title:"TP-LINK" || http.title:"tp-link"

FOFA: title="tp-link"

References (17)

Core 17

Core References

Product x_refsource_confirm

http://www.tp-link.com/en/download/Archer-C9_V1.html#Firmware

Product x_refsource_confirm

http://www.tp-link.com/en/download/Archer-C7_V2.html#Firmware

Product x_refsource_confirm

http://www.tp-link.com/en/download/TL-WR740N_V5.html#Firmware

Product x_refsource_confirm

http://www.tp-link.com/en/download/Archer-C5_V1.20.html#Firmware

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/131378/TP-LINK-Local-File-Disclosure.html

Product x_refsource_confirm

http://www.tp-link.com/en/download/TL-WR841N_V9.html#Firmware

Product x_refsource_confirm

http://www.tp-link.com/en/download/TL-WR841ND_V9.html#Firmware

Exploit, Mailing List, Third Party Advisory mailing-list x_refsource_fulldisc

http://seclists.org/fulldisclosure/2015/Apr/26

Product x_refsource_confirm

http://www.tp-link.com/en/download/TL-WDR3600_V1.html#Firmware

Product x_refsource_confirm

http://www.tp-link.com/en/download/TL-WDR3500_V1.html#Firmware

Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/74050

Exploit, Not Applicable x_refsource_misc

https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20150410-0_TP-Link_Unauthenticated_local_file_disclosure_vulnerability_v10.txt

Product x_refsource_confirm

http://www.tp-link.com/en/download/TL-WR741ND_V5.html#Firmware

Product x_refsource_confirm

http://www.tp-link.com/en/download/Archer-C8_V1.html#Firmware

Product x_refsource_confirm

http://www.tp-link.com/en/download/TL-WDR4300_V1.html#Firmware

Broken Link, Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq

http://www.securityfocus.com/archive/1/535240/100/0/threaded

Third Party Advisory, US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2015-3035

Scores

CVSS v3 7.5

EPSS 0.9245

EPSS Percentile 99.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation active

Automatable yes

Technical Impact partial

Details

CISA KEV 2022-03-25

VulnCheck KEV 2022-03-25

InTheWild.io 2022-03-25

ENISA EUVD EUVD-2015-3116

CWE

CWE-22

Status published

Products (25)

tp-link/archer_c5_\(1.2\)_firmware < 141126

tp-link/archer_c5_firmware < 150317

tp-link/archer_c7_\(2.0\)_firmware < 141110

tp-link/archer_c7_firmware < 150304

tp-link/archer_c8_\(1.0\)_firmware < 141023

tp-link/archer_c8_firmware < 150316

tp-link/archer_c9_\(1.0\)_firmware < 150122

tp-link/archer_c9_firmware < 150302

tp-link/tl-wdr3500_\(1.0\)_firmware < 141113

tp-link/tl-wdr3500_firmware < 150302

... and 15 more

Published Apr 22, 2015

KEV Added Mar 25, 2022

Tracked Since Feb 18, 2026