back to article A (cautionary) tale of two patched bugs, both exploited in the wild

Miscreants are right now exploiting two security bugs for which patches exist, one in a VMware network and applications monitoring tool and the other in some TP-Link routers. VMware two weeks ago issued a fix for CVE-2023-20887, a critical command-injection vulnerability in Aria Operations for Networks that can be abused to …

  1. razorfishsl

    TP-Link again.......

    Time to geet some real programmers....

    1. Graham Cobb Silver badge

      Or just a real OS.

      My TP-Link devices are running OpenWRT.

      1. Snake Silver badge

        RE: OpenWRT on a TP-Link

        Thanks for the heads-up, but that only works on supported devices. My TP-Link Archer AC3200's (2 of them) aren't supported and TP-Link is quite good at abandoning hardware in somewhat short order; when I bought the second AC3200 new, the VPN services had a SMB forwarding bug and it took many tech support tickets, and a Beta-level firmware install, to fix. A Beta firmware that was never released to the general public later, mind you.

      2. Michael Wojcik Silver badge

        Yeah, I always assumed the only reason to buy TP-Link was to run OpenWRT. Though I take the point someone else posted – it can be tough finding a compatible device.

  2. Tubz Silver badge

    with ref. TP-Link Archer AX21, this is another example of why when consumer goods go EOL by manufacturer. they should be supported for a few years afterwards. When that time is up and many remain in use as they are still perfectly capable of doing their job, the hardware diagrams and software source should be released, communities are probably even more capable of fixing things than manufacturers own support teams.

    1. MacroRodent

      Forgotten on a shelf

      If it is a consumer router, the users likely are no aware of the problem, and will not become aware of the problem, as long as the router works for them. TP-Link and other similar consumer gear makers have no idea who their customers are, and cannot reach them. Probably they would have to be either forcibly remotely updated by some white-hat hackers, or remotely bricked, so that the oblivious user is forced to get a new one.

    2. Ken Hagan Gold badge

      Of course, the easiest way for a vendor to meet this requirement is to use OpenWRT as their default firmware.

      Makes you wonder what sort of competitive edge they think they are getting by not doing so. (And I bet they aren't.)

      1. Michael Wojcik Silver badge

        It is strange. Last I looked (which was a while back) there were only one or two vendors selling home / small office routers with OpenWRT pre-installed. But the software the others use is full of FOSS packages already, so what's to be lost by getting rid of half your incompetent dev team and putting OpenWRT on instead? If you really think you need a "pretty" web interface, let the remaining incompetent developers (perhaps now incentivized to improve their skills and practices) build that.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like