What happened

CISA added CVE-2020-24363 to its Known Exploited Vulnerabilities (KEV) catalog, signaling in-the-wild exploitation and a mandatory federal remediation timeline CISA KEV. The entry covers TP-Link’s TL-WA855RE and classifies the flaw as a “Missing Authentication for Critical Function” issue (CWE-306) affecting device management flows NVD record. Per the KEV note, an unauthenticated attacker on the same network can submit a TDDP_RESET POST request to trigger a factory reset and reboot, then establish new administrative control by setting a fresh password CISA KEV. CISA also warns that impacted devices may be end-of-life or end-of-service and should be discontinued if mitigations are not available CISA KEV. The CVE entry itself documents the affected product and the weak authentication boundary on critical functionality MITRE CVE.

Why it matters

Being listed in KEV means the vulnerability is actively exploited or has been observed exploited, raising its priority for immediate action across government and industry networks CISA KEV. The combination of a same-LAN unauthenticated reset and the ability to set a new administrator password equates to swift device takeover and potential persistence on local infrastructure CISA KEV. These consumer-grade extenders often sit at network edges with minimal monitoring, so a silent reset-then-reown maneuver can degrade defenses and create a stealth foothold for later lateral movement NVD record. CISA’s advisory to discontinue use if no mitigations exist reflects the operational reality: unsupported, EoL/EoS gear is out of patch runway and exposes a durable attack surface CISA KEV.

Technical detail

CVE-2020-24363 is a missing authentication control for a critical function (CWE-306) in the TP-Link TL-WA855RE, specifically permitting a factory reset via an HTTP POST endpoint without prior authorization NVD record. CISA’s KEV entry states an attacker on the same network can submit a TDDP_RESET POST request to force a factory reset and immediate reboot, after which the device enters an initial-setup state CISA KEV. Post-reset, the adversary can claim control by setting a new administrative password, resulting in incorrect access control and effective administrative takeover of the device CISA KEV. The flaw’s essence is the absence of authentication gating around a privileged operation, directly mapping to CWE-306 as cited in the CVE’s metadata MITRE CVE. Because exploitation requires only same-network reachability to the management interface, exposure arises wherever the extender shares a broadcast domain with untrusted or compromised hosts NVD record. In environments that rely on these devices for coverage, repeated reset/reown cycles can both mask malicious reconfiguration and erase on-device logs, frustrating post-event analysis CISA KEV.

Defense

CISA directs organizations to apply mitigations per vendor guidance or discontinue use if mitigations are unavailable, with federal remediation tracked via the KEV listing’s due date window CISA KEV. If you operate TL-WA855RE units, prioritize removal, replacement, or verified vendor-fixed firmware before the KEV remediation deadline for covered entities CISA KEV. Where immediate removal isn’t feasible, isolate devices to trusted segments and restrict same-LAN access from untrusted hosts to limit exposure to the unauthenticated reset vector described in the CVE NVD record. Monitor for symptomatic signals aligned to this exploit path—unexpected reboots, loss of configuration, or sudden password changes on TL-WA855RE—given the post-reset takeover described by CISA CISA KEV. Maintain an asset inventory keyed to vulnerable identifiers (product string: “TP-Link TL-WA855RE” as referenced in the CVE) to scope exposure and validate eradication MITRE CVE.

Lyrie Verdict

This is a mechanical, unauthenticated control-path abuse whose on-wire artifact—an HTTP POST to a reset endpoint—can and should be caught at machine speed before the device disappears into a reboot CISA KEV. Lyrie profiles IoT/SoHO device management flows and flags unauthorized reset semantics to assets fingerprinted as TL-WA855RE, correlating with immediate link flaps/DHCP renewals characteristic of a factory reset cycle NVD record. We then auto-interdict follow-on “first-run” admin-setup attempts from the same source that forced the reset, blocking the attacker’s post-reset credential set per the takeover path outlined by CISA CISA KEV. Bottom line: autonomously detecting and stopping the reset-then-reown chain neutralizes this class of no-auth critical-function abuse faster than any human-in-the-loop could react MITRE CVE.