CVE-2025-40634

CRITICAL

TP-Link Archer AX50 <1.0.15 - Buffer Overflow

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2025-40634. PoCs published by hacefresko.

AI-analyzed exploit summary This repository contains a working exploit for CVE-2025-40634, a stack-based buffer overflow in the TP-Link Archer AX50 router's `conn-indicator` binary, leading to remote code execution. The exploit leverages a crafted DNS response to overflow a buffer in the `DNS_answer_parser` function.

Description

Stack-based buffer overflow vulnerability in the 'conn-indicator' binary running as root on the TP-Link Archer AX50 router, in firmware versions prior to 1.0.15 build 241203 rel61480. This vulnerability allows an attacker to execute arbitrary code on the device over LAN and WAN networks.

Exploits (2)

nomisec WORKING POC 30 stars

by hacefresko · poc

https://github.com/hacefresko/CVE-2025-40634

View Code ZIP pw:eip

This repository contains a working exploit for CVE-2025-40634, a stack-based buffer overflow in the TP-Link Archer AX50 router's `conn-indicator` binary, leading to remote code execution. The exploit leverages a crafted DNS response to overflow a buffer in the `DNS_answer_parser` function.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Complex

Reliability

Reliable

Target: TP-Link Archer AX50 firmware version 1.0.14 Build 20240108 rel.42655(4555)

No auth needed

Prerequisites: Network access to the vulnerable router · Ability to send crafted DNS responses to the target

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

github WORKING POC 5 stars

by hacefresko · pythonpoc

https://github.com/hacefresko/CVEs/tree/main/CVE-2025-40634

View Code ZIP pw:eip

The repository contains a functional exploit for CVE-2025-40634, demonstrating a command injection vulnerability in TP-Link Tapo c200 IP cameras. The exploit leverages insufficient input validation in the `setLanguage` method to achieve unauthenticated remote code execution.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: TP-Link Tapo c200 IP camera (firmware versions prior to 1.1.16 Build 211209 Rel. 37726N)

No auth needed

Prerequisites: Network access to the target device

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 27, 2026 Full analysis →

References (1)

Core 1

Core References

Third Party Advisory

https://www.incibe.es/en/incibe-cert/notices/aviso/stack-based-buffer-overflow-tp-link-archer-ax50

Scores

CVSS v4 9.2

EPSS 0.0056

EPSS Percentile 42.2%

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-121

Status published

Products (1)

TP-Link/Link Archer AX50 < 1.0.15 build 241203 rel61480

Published May 20, 2025

Tracked Since Feb 18, 2026