There is a 0-day vulnerability in the TP-Link SR20 SmartHome router that enables arbitrary code execution (ACE).
The vulnerability was exposed by Matthew Garrett, Google security researcher. The 0-day (ACE) vulnerability in the TP-Link SR20 Smart Home Router allows potential attackers to execute arbitrary commands on the same network. Here the tweet with the mention.
It's been over 90 days since I reported it and @TPLINK never responded, so: arbitrary command execution on the TP-Link SR20 smart hub and router (and possibly other TP-Link device)
— Matthew Garrett (@mjg59) 28. März 2019
The disclosure was made after TP-Link did not move 90 days after the vulnerability was reported. In the meantime, an advisory on the subject has appeared on coresecurity.com. Garrett has published details here – Bleeping Computer has an article on the subject here.
