CVE-2024-5228 is a heap-based buffer overflow vulnerability identified in the TP-Link Omada ER605 router's handling of Comexe DDNS responses. The vulnerability stems from a lack of proper length validation when processing DNS response data, allowing an attacker to overflow a fixed-length heap buffer. This flaw enables remote code execution (RCE) with root privileges, as the attacker can inject and execute arbitrary code on the device. The attack vector is network-adjacent, meaning the attacker must be able to send crafted DNS responses to the device, but no authentication or user interaction is required. The vulnerability is specifically triggered only if the device is configured to use the Comexe DDNS service, limiting the affected population to those with this feature enabled. The CVSS v3.0 base score is 7.5, reflecting high severity due to the potential for complete system compromise. The vulnerability was assigned by ZDI as ZDI-CAN-22383 and publicly disclosed on May 23, 2024. No patches or exploit code are currently publicly available, and no known active exploitation has been reported. The affected firmware version is 2.6_2.2.2 Build 20231017. The root cause is classified under CWE-122 (Heap-based Buffer Overflow), a common and dangerous software flaw that can lead to arbitrary code execution and system takeover.

The impact of CVE-2024-5228 is significant for organizations using the TP-Link Omada ER605 routers with Comexe DDNS enabled. Successful exploitation allows attackers to execute arbitrary code with root privileges remotely, potentially leading to full device compromise. This can result in unauthorized access to internal networks, interception or manipulation of network traffic, disruption of network services, and use of the compromised router as a foothold for further attacks. Confidentiality, integrity, and availability of network communications are all at risk. Given that authentication is not required, the attack surface is broad for network-adjacent attackers, increasing the likelihood of exploitation in poorly segmented or exposed network environments. The vulnerability could be leveraged for espionage, data theft, or launching attacks against connected systems. Although no active exploits are known, the high severity and ease of exploitation without authentication make this a critical risk for affected deployments.

To mitigate CVE-2024-5228, organizations should first verify if their TP-Link Omada ER605 routers are running the affected firmware version 2.6_2.2.2 Build 20231017 and whether the Comexe DDNS service is enabled. If Comexe DDNS is not required, disabling this feature immediately reduces exposure. If the service is necessary, organizations should monitor TP-Link advisories closely for official patches or firmware updates addressing this vulnerability and apply them promptly once available. In the interim, network segmentation should be enforced to restrict access to the router's management and DDNS services only to trusted internal hosts. Deploying intrusion detection/prevention systems (IDS/IPS) with signatures targeting anomalous DNS response patterns may help detect exploitation attempts. Additionally, organizations should audit router configurations and logs for suspicious activity and consider implementing network-level controls to limit exposure to network-adjacent attackers. Regular backups of router configurations and a tested incident response plan are recommended to ensure rapid recovery if compromise occurs.