CVE-2024-5243

HIGH

TP-Link Omada ER605 - Unauthenticated Remote Code Execution via DNS Name Buffer Overflow

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2024-5243. PoCs published by yi-barrack, redpack-kr.

AI-analyzed exploit summary This repository contains a proof-of-concept exploit for CVE-2024-5243, targeting TP-Link ER605 routers. It chains multiple vulnerabilities (CVE-2024-5242, CVE-2024-5243, CVE-2024-5244) to achieve pre-authentication remote code execution via DDNS message spoofing, ASLR bypass, and ROP-based exploitation.

Description

TP-Link Omada ER605 Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of TP-Link Omada ER605 routers. Authentication is not required to exploit this vulnerability. However, devices are vulnerable only if configured to use the Comexe DDNS service. The specific flaw exists within the handling of DNS names. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-22523.

Exploits (2)

nomisec WORKING POC 2 stars

by yi-barrack · poc

https://github.com/yi-barrack/CVE-2024-5243-pwn2own-toronto-2023

View Code ZIP pw:eip

This repository contains a proof-of-concept exploit for CVE-2024-5243, targeting TP-Link ER605 routers. It chains multiple vulnerabilities (CVE-2024-5242, CVE-2024-5243, CVE-2024-5244) to achieve pre-authentication remote code execution via DDNS message spoofing, ASLR bypass, and ROP-based exploitation.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Complex

Reliability

Reliable

Target: TP-Link Omada ER605 VPN Router < ER605(UN)_V2_2.2.4

No auth needed

Prerequisites: MITM position on target router's WAN interface · Ability to intercept DNS queries and spoof responses · Ability to serve malicious DDNS responses on UDP 9994

MITRE ATT&CK

T1189 - Drive-by Compromise T1203 - Exploitation for Client Execution T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by redpack-kr · poc

https://github.com/redpack-kr/CVE-2024-5243-pwn2own-toronto-2023

View Code ZIP pw:eip

This repository contains a functional exploit PoC for CVE-2024-5243, targeting TP-Link ER605 routers via a chain of vulnerabilities (CVE-2024-5242, CVE-2024-5243, CVE-2024-5244) in the DDNS client daemon. The exploit combines DDNS message spoofing, an ASLR bypass via an info leak, and a stack-based buffer overflow for ROP-based RCE.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Complex

Reliability

Reliable

Target: TP-Link Omada ER605 VPN Router < ER605(UN)_V2_2.2.4

No auth needed

Prerequisites: MITM position on the target router's WAN interface · ability to intercept DNS queries and spoof responses · ability to serve malicious DDNS responses on UDP 9994

MITRE ATT&CK

T1189 - Drive-by Compromise T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (1)

Core 1

Core References

Third Party Advisory x_research-advisory

https://www.zerodayinitiative.com/advisories/ZDI-24-502/

Scores

CVSS v3 7.5

EPSS 0.0081

EPSS Percentile 52.3%

Attack Vector ADJACENT_NETWORK

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-120

Status published

Products (1)

tp-link/omada_er605_firmware 2.2.2 build_20231017

Published May 23, 2024

Tracked Since Feb 18, 2026