Statement on LAN Command Execution on Archer C5400X(CVE-2024-5035)

TP-Link has noted the reports about CVE-2024-5035. We have prioritized addressing this issue and fixed the source code weakness before its public disclosure.

After a thorough internal source code analysis (including an in-depth review of the function call path), we have determined that CVE-2024-5035 is more of a source code weakness than an available LAN vulnerability with a specific killchain. As such, CVE-2024-5035 disclosure does not increase information security risks in daily use.

TP-Link takes security vulnerabilities very seriously and actively deals with them upon receipt of notification. We have released firmware Archer C5400X_V1_1.1.7 Build 20240510 on the official website and pushed the firmware to customers' devices before CVE-2024-5035 is disclosed publicly. Archer C5400X will automatically receive update notifications in the web administration interface, Tether application.

TP-Link strongly recommends that you download and update to the latest firmware for the product model as soon as possible.

Disclaimer

The vulnerability will remain if you do not take all recommended actions. TP-Link cannot bear any responsibility for consequences that could have been avoided by following the recommendations in this statement.