CVE-2022-30075

HIGH EXPLOITED

TP-Link Archer AX50 Firmware < 210730 - Remote Code Execution via Malicious Backup File Import

Title source: llm

Exploitation Summary

CVE-2022-30075 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 5 public exploits from researchers including Tomas Melicher, aaronsvk, SAJIDAMINE.

AI-analyzed exploit summary This exploit demonstrates authenticated RCE on TP-Link Archer AX50 routers by importing a malicious config file. It includes encryption/decryption logic for router communication and backup file manipulation.

Description

In TP-Link Router AX50 firmware 210730 and older, import of a malicious backup file via web interface can lead to remote code execution due to improper validation.

Exploits (5)

exploitdb WORKING POC

by Tomas Melicher · pythonremotehardware

https://www.exploit-db.com/exploits/50962

View Code ZIP pw:eip

This exploit demonstrates authenticated RCE on TP-Link Archer AX50 routers by importing a malicious config file. It includes encryption/decryption logic for router communication and backup file manipulation.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Complex

Reliability

Reliable

Target: TP-Link Archer AX50 firmware 210730

Auth required

Prerequisites: Valid admin credentials · Network access to the router

MITRE ATT&CK

T1210 - Exploitation of Remote Services T1505.003 - Web Shell

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 231 stars

by aaronsvk · remote-auth

https://github.com/aaronsvk/CVE-2022-30075

View Code ZIP pw:eip

This repository contains a Python-based exploit for CVE-2022-30075, an authenticated RCE vulnerability in TP-Link routers. The exploit manipulates backup files to inject malicious commands, enabling remote code execution via telnetd activation.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: TP-Link routers (e.g., Archer AX50) with backup/restore functionality and firmware older than June 2022

Auth required

Prerequisites: Valid credentials for the router's web interface · Backup/restore functionality enabled · Firmware version older than June 2022

MITRE ATT&CK

T1210 - Exploitation of Remote Services T1505 - Server Software Component

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 3 stars

by SAJIDAMINE · remote-auth

https://github.com/SAJIDAMINE/CVE-2022-30075

View Code ZIP pw:eip

This PoC exploits an authenticated RCE vulnerability in TP-Link routers by importing a malicious config file. It includes encryption/decryption logic for router communication and backup file manipulation.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Complex

Reliability

Reliable

Target: TP-Link Archer AX50 (and potentially other models)

Auth required

Prerequisites: Valid admin credentials · Network access to the router

MITRE ATT&CK

T1210 - Exploitation of Remote Services T1505.003 - Web Shell

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 1 stars

by M4fiaB0y · remote

https://github.com/M4fiaB0y/CVE-2022-30075

View Code ZIP pw:eip

This PoC exploits CVE-2022-30075, a remote code execution vulnerability in TP-Link Router AX50 firmware 210730. It authenticates to the router, manipulates backup/import functionality to inject malicious configuration files, and achieves RCE.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: TP-Link Archer AX50 firmware 210730

Auth required

Prerequisites: Valid admin credentials for the target router · Network access to the router's web interface

MITRE ATT&CK

T1189 - Drive-by Compromise T1210 - Exploitation of Remote Services

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by RhestCorp · remote-auth

https://github.com/RhestCorp/TP-L-NK-SIZMA-EXPLO-T

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2022-30075, an authenticated RCE vulnerability in TP-Link routers (e.g., Archer AX50). The exploit authenticates, downloads and decrypts the router's configuration, injects a command into DDNS settings, re-encrypts, and uploads the modified configuration to achieve remote code execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: TP-Link Archer AX50 and other TP-Link router models

Auth required

Prerequisites: Router IP address · Admin password · Network access to the router

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Apr 10, 2026 Full analysis →

References (5)

Core 5

Core References

Product, Vendor Advisory x_refsource_misc

http://tp-link.com

Third Party Advisory x_refsource_misc

https://github.com/aaronsvk

Exploit, Third Party Advisory x_refsource_misc

https://github.com/aaronsvk/CVE-2022-30075

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

https://www.exploit-db.com/exploits/50962

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/167522/TP-Link-AX50-Remote-Code-Execution.html

Scores

CVSS v3 8.8

EPSS 0.3695

EPSS Percentile 98.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2024-11-26

Status published

Products (1)

tp-link/archer_ax50_firmware < 210730

Published Jun 09, 2022

Tracked Since Feb 18, 2026