TP-Link has patched a vulnerability in multiple Archer router models that could allow attackers to login without passwords.
IBM X-Force security researcher Grzegorz Wypych warned a remote attacker could exploit this router vulnerability CVE-2019-7405 to take control of the router’s configuration via telnet over the local network. The attacker could then connect to a File Transfer Protocol (FTP) server over local or wide area network.
According to Bleeping Computer, an attacker would have to send an HTTP request with a larger number of characters than allowed by the router. As a consequence, the user password would be voided and replaced with an empty value.
TP-Link has issued patched for each of the affected Archer router models C5 V4, MR200v4, MR6400v4, and MR400v3 routers.