🟑 CVE-2020-24363

TP-Link TL-WA855RE V5 WiFi range extender allows unauthenticated attackers on the same network to perform factory reset via TDDP_RESET POST request and then set new administrative password. This vulnerability is actively exploited and listed in CISA KEV.

← Back to Overview
MEDIUM_RISK
Risk Level
8.8
CVSS Score
ADJACENT_NETWORK
Attack Vector
Initial Access
ATT&CK Tactic
T1190 β€” Exploit Public-Facing Application
ATT&CK Technique
HIGH
Deployment Risk
No
Ransomware

πŸ“‹ Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: DIRECT_NETWORK

CVE Published: 2020-08-31

Added to CISA KEV: 2025-09-02 1828 DAYS BETWEEN CVE AND KEV

🎯 Recommendations:

πŸ” Web Intelligence (Kagi Β· 2026-06-04)

CVE-2020-24363 is a security vulnerability affecting specific TP-Link devices that has been confirmed as being actively exploited in the wild [1]. It was added to the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) Catalog in September 2025 [1].

Vulnerability Overview
  • Affected Product: TP-Link TL-WA855RE (specifically version V5, firmware 20200415-rel37464) [2].
  • Nature of Flaw: It is a "Missing Authentication for Critical Function" vulnerability [2].
  • Impact: Successful exploitation allows an unauthenticated attacker to perform a factory reset and reboot the device by submitting a `TDDP_RESET` POST request [2]. Furthermore, an attacker can gain unauthorized access by setting a new administrative password [3].
Exploitation Details
  • Attack Requirements: The attack must be performed by an actor on the same network as the device (local network access) [2]. No user interaction is required for the attacker to trigger the reset or change the password [2].
  • Active Exploitation: CISA added this to the KEV catalog due to evidence of active exploitation in the wild [1]. Reports indicate that the availability of public proof-of-concept (PoC) code and online advisories has facilitated and accelerated this exploitation [4].
  • Tool Availability: There is at least one public PoC/exploit available on GitHub, which has contributed to the ease of exploitation by malicious actors [3].
Threat Actor Usage and Campaigns
While the vulnerability is confirmed to be exploited in the wild, specific details regarding the identity of the threat actors or their involvement in specific ransomware campaigns are not publicly detailed in the available documentation. However, CISA notes that such vulnerabilities are frequent attack vectors for malicious actors and pose significant risks to organizations, recommending that the KEV catalog be used to prioritize vulnerability management [1]?search_api_fulltext=CVE-2020-24363?kagi_q=CVE-2020-24363+details+exploitation+threat+actors.
Mitigation
Organizations and users are strongly advised to follow standard security practices for such hardware, which include:
  • Updating Firmware: Ensure the device is running the latest available firmware provided by the manufacturer.
  • Network Segmentation: Since the attack requires local network access, isolating such devices on a separate management VLAN or restricting access to the device's administrative interface can significantly reduce the attack surface.
  • Monitoring: Monitor for unauthorized configuration changes or unexpected reboots of the device.

Sources

  1. CISA Adds Two Known Exploited Vulnerabilities to Catalog

    CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation. CVE-2020-24363 ... CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation. CVE-2020-24…

  2. NVD - CVE-2020-24363

    An official website of the United States government Here's how you know ... CVE-2020-24363 Detail. Description. TP-Link TL-WA855RE V5 20200415-rel37464 devices allow an unauthenticated attacker (on the same network) to submit a TDDP_RESET POST request for a factory reset and reboot.Reference CISA's…

  3. CVE-2020-24363 - TP-link TL-WA855RE Missing Authentication for...

    CVE-2020-24363 has a 1 public PoC/Exploit available at Github. Go to the Public Exploits tab to see the list.The following table lists the changes that have been made to the CVE-2020-24363 vulnerability over time. Vulnerability history details can be useful for understanding the evolution of a vulne…

  4. In-Depth Analysis of TP-Link Firmware and WhatsApp ... - Rescana

    The TP-Link vulnerability, designated as CVE-2020-24363, is rooted in the improper input validation mechanisms embedded within the firmware ... The TP-Link vulnerability, designated as CVE-2020-24363, is rooted in the improper input validation mechanisms embedded within the firmware update process o…

Generated by PatchNow Intelligence System

Analysis based on CIRCL.LU data, Claude AI assessment, and MITRE ATT&CK framework

πŸ“„ Download JSON Data | πŸ“‘ RSS Feed