CVE-2020-10882

HIGH

TP-Link Archer A7 Firmware Ver: 190726 AC1750 - RCE

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2020-10882. PoCs published by lnversed, including Metasploit module exploits/linux/misc/tplink_archer_a7_c7_lan_rce.

AI-analyzed exploit summary This repository contains only a README with reference links to external advisories and blog posts about CVE-2020-10882, which involves a vulnerability in TP-Link Archer C7 routers. No exploit code or technical details are provided in the repository itself.

Description

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of TP-Link Archer A7 Firmware Ver: 190726 AC1750 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the tdpServer service, which listens on UDP port 20002 by default. When parsing the slave_mac parameter, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the root user. Was ZDI-CAN-9650.

Exploits (3)

nomisec WRITEUP
by lnversed · poc
https://github.com/lnversed/CVE-2020-10882

This repository contains only a README with reference links to external advisories and blog posts about CVE-2020-10882, which involves a vulnerability in TP-Link Archer C7 routers. No exploit code or technical details are provided in the repository itself.

Classification
Writeup 90%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: TP-Link Archer C7
No auth needed
Prerequisites: Access to the target device
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
rubypoclinux
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/tplink_archer_a7_c7_lan_rce.rb

This Metasploit module exploits a command injection vulnerability in the tdpServer daemon on TP-Link Archer A7/C7 routers, allowing unauthenticated remote code execution as root. It includes a checksum calculation for packet validation and supports payload delivery via HTTP.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: TP-Link Archer A7/C7 (AC1750) v5 (firmware up to 201029/30)
No auth needed
Prerequisites: LAN access to the target router
devstral-2 · analyzed Mar 05, 2026 Full analysis →
exploitdb WORKING POC
rubyremotelinux_mips
https://www.exploit-db.com/exploits/48331

This Metasploit module exploits a command injection vulnerability in the tdpServer daemon on TP-Link Archer A7/C7 routers, allowing unauthenticated remote code execution as root via crafted UDP packets on port 20002. The exploit includes a checksum calculation routine and payload delivery mechanism.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: TP-Link Archer A7/C7 (AC1750) v5 (firmware 190726)
No auth needed
Prerequisites: LAN access to the target router
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (2)

Core 2
Core References
Third Party Advisory, VDB Entry x_refsource_misc
https://www.zerodayinitiative.com/advisories/ZDI-20-334/

Scores

CVSS v3 8.8
EPSS 0.3217
EPSS Percentile 97.0%
Attack Vector ADJACENT_NETWORK
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-78
Status published
Products (1)
tp-link/ac1750_firmware 190726
Published Mar 25, 2020
Tracked Since Feb 18, 2026