Assessment
CFSE Consequence Paths assesses TP-Link Archer AX21 (AX1800) router unauthenticated command injection (CVE-2023-1389) at EMERGENCY — the worst of 3 risk paths (authority, perception). The dominant consequence is privileged account or control authority.
Vulnerability
TP-Link Archer AX21 (AX1800) router unauthenticated command injection (CVE-2023-1389). Reported attack vector: Adjacent network (AV:A per NVD; reachable on LAN/Wi-Fi, and exploited at Internet scale where the management interface is WAN-exposed).
CFSE Consequence Paths analysis
The vulnerability is decomposed into one risk path per terminal consequence. Each path is scored on its exposure (reachability × execution complexity) and the authority, perception, and physical/safety it reaches, together with its scale of reuse, scale of execution, and recoverability.
ACCOUNT_AUTHORITY → EMERGENCY
CPATH:1.0-candidate/TT:ACCOUNT_AUTHORITY/RE:4/EC:4/EX:4/PH:2/DP:3/AT:3/CH:4/SR:4/SX:4/OR:3/EV:4/LS:PATCH_AVAILABLE
Exposure EX=4 (reachability and complexity-bound) · bands PH=CRITICAL · DP=CRITICAL · AT=CRITICAL → base CRITICAL · uplift active exploitation, fleet-reachable authority → assessed EMERGENCY.
Unauthenticated POST to the locale ‘country’ parameter yields arbitrary command execution as root on the gateway. RE:4 because exploited Internet-wide against WAN-exposed management interfaces (LAN/Wi-Fi at minimum, but mass remote exploitation observed). EC:4 single unauthenticated request, public Metasploit/ExploitDB PoC. AT:3 root/admin authority over the gateway device (modifies device config/firmware/command surface) but not a signing-root or OTA-root of trust, so not 4. PH:2 network device, no direct actuation; perimeter control can disrupt availability but no severe physical harm. DP:3 root control exposes credentials and sensitive operational state. CH:4 root on the gateway is a reusable multi-hop bridge crossing network/device boundaries enabling lateral movement and pivot. SR:4 identical primitive across the whole Archer AX21/AX1800 population. SX:4 fleet-scale remote exploitation without per-device access. OR:3 recoverable via firmware 1.1.4+ and factory reset per device; not fleet-reprovision/recall. EV:4 field-confirmed, CISA KEV.
FLEET_CONTROL_PLANE → EMERGENCY
CPATH:1.0-candidate/TT:FLEET_CONTROL_PLANE/RE:4/EC:4/EX:4/PH:2/DP:2/AT:3/CH:4/SR:4/SX:4/OR:3/EV:4/LS:PATCH_AVAILABLE
Exposure EX=4 (reachability and complexity-bound) · bands PH=CRITICAL · DP=HIGH · AT=CRITICAL → base CRITICAL · uplift active exploitation, fleet-reachable authority → assessed EMERGENCY.
The single reusable RCE primitive was rapidly weaponized into multiple Mirai botnet variants, enrolling routers at scale into attacker command-and-control. RE:4 Internet-wide reachable/exploited. EC:4 trivial single request, automated botnet scanning. AT:3 attacker gains command authority over a large device population aggregated under botnet C2; this is fleet-scale control of compromised nodes but via a per-device exploit reused at scale rather than a manufacturer OTA/signing root, so AT:3 not 4. PH:2 no severe physical harm; availability/DDoS impact. DP:2 telemetry/network position. CH:4 cross-domain bridge: one bug becomes a botnet control plane spanning the device fleet and the Internet. SR:4 single shared primitive portable across the entire product line. SX:4 fleet-scale remote enrollment with no per-device access. OR:3 each node recoverable via patch+reset; no manufacturer recall/key rotation needed. EV:4 field-confirmed Mirai variants, KEV-listed.
DATA_PRIVACY → CRITICAL
CPATH:1.0-candidate/TT:DATA_PRIVACY/RE:4/EC:4/EX:4/PH:2/DP:3/AT:3/CH:4/SR:4/SX:4/OR:3/EV:3/LS:PATCH_AVAILABLE
Exposure EX=4 (reachability and complexity-bound) · bands PH=CRITICAL · DP=CRITICAL · AT=CRITICAL → base CRITICAL · uplift active exploitation, fleet-reachable authority · caps privacy-only cap → assessed CRITICAL.
Root control of the gateway enables traffic interception/redirection (DNS hijack, MITM) affecting all downstream client data. RE:4 same Internet-reachable entry point. EC:4 once root is held, configuring DNS/routing for MITM is trivial. AT:3 admin/root authority over the network perimeter; not a trust-root. PH:2 no severe physical harm. DP:3 sensitive: all downstream client traffic confidentiality/integrity (credentials, sensitive op-state) is compromised; not 4 because it is network data plane, not biometric/spatial-map/safety-sensor world-model state, and it does not drive physical/safety action so perception_feeds_action=false. CH:4 reusable cross-boundary bridge (device control to data-plane interception across all clients). SR:4 same primitive across product population. SX:4 every compromised gateway exposes all its clients at fleet scale. OR:3 recoverable per device via patch/reset. EV:3 interception capability is a credible/reproduced consequence of root rather than the field-headline behavior (botnet enrollment), so slightly lower evidence than the takeover/botnet paths.
Published baseline
- v3.1 8.8 HIGH —
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H — NVD / CNA via NVD
The published baseline above is retained for source review. The registry records the reachable consequence path, including deployment-specific cyber-physical consequence, physical/safety impact, scale, and recovery burden.
Sources