CVE-2024-5243 is a remote code execution vulnerability identified in the TP-Link Omada ER605 router, specifically in firmware version 2.6_2.2.2 Build 20231017. The vulnerability is a classic buffer overflow (CWE-120) caused by improper validation of the length of user-supplied DNS name data before copying it into a fixed-size buffer. This flaw exists only when the router is configured to use the Comexe DDNS service, which processes DNS names. An attacker positioned on the same network or within network adjacency can send specially crafted DNS name data to the device, triggering the buffer overflow and enabling arbitrary code execution with root privileges. No authentication or user interaction is required, significantly lowering the barrier to exploitation. The vulnerability was assigned a CVSS v3.0 score of 7.5, reflecting high impact on confidentiality, integrity, and availability. Although no public exploits are known at this time, the nature of the flaw and its root-level code execution potential make it a critical concern. The vulnerability was reported by the Zero Day Initiative (ZDI) as ZDI-CAN-22523. No official patches or mitigations have been published yet, but disabling the Comexe DDNS service can prevent exploitation. This vulnerability highlights the risks of insecure input handling in network device firmware and the importance of secure coding practices.

Successful exploitation of CVE-2024-5243 allows attackers to execute arbitrary code with root privileges on affected TP-Link Omada ER605 routers. This can lead to complete compromise of the device, enabling attackers to intercept, modify, or redirect network traffic, deploy persistent malware, or use the device as a foothold for lateral movement within an organization’s network. The confidentiality of sensitive data passing through the router can be breached, integrity of network communications can be undermined, and availability of network services can be disrupted. Given that no authentication is required and exploitation can be performed remotely by a network-adjacent attacker, the risk is substantial. Organizations relying on these routers for critical network infrastructure or remote access services are particularly vulnerable. The lack of current known exploits provides a window for proactive mitigation, but the potential impact remains high due to the root-level code execution capability.

1. Immediately verify if the TP-Link Omada ER605 routers in your environment are running the affected firmware version 2.6_2.2.2 Build 20231017 and are configured to use the Comexe DDNS service. 2. Disable the Comexe DDNS service on all affected devices as a temporary mitigation to prevent exploitation. 3. Monitor network traffic for unusual DNS requests or anomalous activity targeting the router’s management interfaces. 4. Implement network segmentation to isolate management interfaces of routers from general user networks and untrusted sources. 5. Restrict access to the router’s management interfaces to trusted IP addresses only. 6. Apply vendor-provided patches or firmware updates as soon as they become available. 7. Conduct regular vulnerability assessments and penetration tests focusing on network infrastructure devices. 8. Educate network administrators about the risks of enabling unnecessary services such as third-party DDNS providers. 9. Maintain an incident response plan that includes steps for containment and remediation of router compromises. 10. Consider deploying network intrusion detection/prevention systems (IDS/IPS) capable of detecting exploitation attempts targeting buffer overflow vulnerabilities.