CVE-2024-1180 is an OS command injection vulnerability identified in the TP-Link Omada ER605 router, specifically affecting version 2.1.2 Build 20230210 Rel.62992. The flaw resides in the access control user interface, where the 'name' field input is not properly sanitized before being incorporated into system-level calls. This improper neutralization of special elements (CWE-78) allows an authenticated, network-adjacent attacker to inject arbitrary commands that the system executes with root privileges. The vulnerability was reported by the Zero Day Initiative (ZDI) under identifier ZDI-CAN-22227 and publicly disclosed on April 3, 2024. The attack vector requires the attacker to have valid credentials (authentication required) and network access to the device, but no user interaction is needed beyond that. The CVSS v3.0 base score is 6.8, indicating a medium severity level, with high impact on confidentiality, integrity, and availability due to root-level code execution. No patches or known exploits have been reported at the time of disclosure, but the vulnerability poses a significant risk to network security if exploited.

If exploited, this vulnerability allows attackers to execute arbitrary code with root privileges on the TP-Link Omada ER605 router. This can lead to full compromise of the device, including interception or manipulation of network traffic, disruption of network services, and potential pivoting to other internal systems. The confidentiality of sensitive data passing through the router can be breached, integrity of network configurations can be altered maliciously, and availability can be disrupted through denial-of-service or persistent backdoors. Organizations relying on this router for critical network infrastructure, especially in enterprise or managed service provider environments, face risks of operational disruption and data breaches. The requirement for authentication limits exploitation to insiders or attackers who have obtained credentials, but the medium CVSS score reflects the serious consequences of successful exploitation.

Organizations should immediately restrict access to the management interface of TP-Link Omada ER605 devices to trusted personnel and networks only, employing network segmentation and strong authentication mechanisms such as multi-factor authentication where possible. Monitoring and logging of administrative access should be enhanced to detect suspicious activities. Since no official patch is currently available, consider temporary mitigations such as disabling access control features that utilize the vulnerable input field or limiting the ability to add or modify access control entries until a fix is released. Regularly check TP-Link’s official channels for firmware updates addressing this vulnerability and apply them promptly. Additionally, conduct audits of user accounts to ensure no unauthorized credentials exist and educate administrators on the risks of command injection vulnerabilities. Employ network intrusion detection systems (NIDS) to identify anomalous command injection attempts targeting the device.