What Is TP-Link Archer?
TP-Link's Archer product line are consumer and prosumer wireless routers widely deployed in home and small business environments. Archer models (C2, C5, C7, C8, C9, C20i, and others) provide 802.11ac Wi-Fi, NAT routing, and a web management interface. TP-Link is one of the world's largest home router manufacturers by unit volume, making Archer product vulnerabilities relevant to tens of millions of deployed devices.
Like most consumer routers, Archer devices run embedded Linux firmware with a BusyBox-based web server for the management interface. The management interface serves both the administrative web UI and configuration file downloads — and in vulnerable versions, does not adequately restrict file paths in certain URL patterns.
Overview
CVE-2015-3035 is an unauthenticated directory traversal vulnerability in multiple TP-Link Archer router models that allows remote attackers to read arbitrary files from the device filesystem. By appending ../ traversal sequences to the /login/ path, an attacker can read any file accessible to the web server process — including the router's configuration file containing Wi-Fi passwords, administrator credentials, and VPN settings.
Affected Versions
| TP-Link Archer Model | Status |
|---|---|
| Archer C2 | Vulnerable (firmware before fix) |
| Archer C5 | Vulnerable |
| Archer C7 | Vulnerable |
| Archer C8 | Vulnerable |
| Archer C9 | Vulnerable |
| Archer C20i | Vulnerable |
TP-Link released firmware updates addressing CVE-2015-3035 for most affected models.
Technical Details
Root Cause: PATH_INFO Directory Traversal in Web Server
The TP-Link Archer web management interface fails to sanitize the PATH_INFO component of URLs to the /login/ handler. The web server directly uses the path provided in the request to construct a filesystem path for file serving — without stripping or rejecting ../ traversal sequences.
An attacker can send a request like:
GET /login/../../../etc/passwd HTTP/1.1
Host: 192.168.0.1
The web server constructs the path /etc/passwd (after traversal) and returns its contents without requiring authentication, as the traversal escapes the intended /login/ directory scope before authentication is checked.
High-Value Files Accessible
On TP-Link Archer routers, unauthenticated file read can retrieve:
/etc/passwd— system user list (may include router admin hash)/etc/shadow— password hashes for system accounts- Router configuration backup file — typically contains: Wi-Fi SSIDs and passwords (WPA-PSK keys), router admin username and password, VPN credentials, DDNS credentials, and all network configuration in plaintext or weakly encoded form
/proc/entries** — kernel information, running process list
Wi-Fi credentials and router admin passwords from the configuration file enable full router takeover and Wi-Fi network access.
Attack Characteristics
| Attribute | Detail |
|---|---|
| Attack Vector | Network — HTTP request to management interface |
| Authentication | None required |
| Impact | Credential disclosure (Wi-Fi, admin, VPN passwords) |
| Path | /login/../ traversal sequences |
| Scope | Confidentiality only |
Discovery
Publicly disclosed in April 2015 with a working proof-of-concept published on Exploit-DB (ID 36862). TP-Link subsequently released patched firmware versions for most affected Archer models.
Exploitation Context
- Credential theft: Attackers exploit CVE-2015-3035 to retrieve router configuration files containing Wi-Fi passwords and admin credentials; these credentials enable full router administrative access and Wi-Fi network infiltration
- IoT botnet reconnaissance: Automated scanners probe routers for this and similar traversal vulnerabilities to harvest credentials for credential stuffing, lateral movement, or botnet enrollment
- SOHO network compromise: Compromising a router's administrative interface provides a privileged position for network monitoring, DNS hijacking, and traffic interception affecting all devices on the network
- CISA KEV (2022): Added March 2022, confirming continued exploitation against unpatched Archer devices years after firmware fixes were available
Remediation
-
Update to patched firmware — download and install the latest firmware from TP-Link's support site for your specific Archer model. Verify the firmware version fixes CVE-2015-3035.
-
Disable remote management — disable WAN-side access to the router management interface (HTTP/HTTPS on WAN port). Router management should only be accessible from the local LAN.
-
Change default credentials — change the router admin password to a strong, unique password if it remains at the default value.
-
Rotate credentials — if the device may have been accessible while vulnerable, rotate: Wi-Fi passwords (change SSID passwords), router admin password, and any VPN or DDNS credentials stored in the router configuration.
-
Replace EOL devices — if no firmware fix is available for your Archer model, replace the device with a currently supported router.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2015-3035 |
| Vendor / Product | TP-Link — Multiple Archer Devices |
| NVD Published | 2015-04-22 |
| NVD Last Modified | 2025-10-22 |
| CVSS 3.1 Score | 7.5 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
| Severity | HIGH |
| CWE | CWE-22 — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') find similar ↗ |
| CISA KEV Added | 2022-03-25 |
| CISA KEV Deadline | 2022-04-15 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2015-04-01 | TP-Link Archer directory traversal publicly disclosed |
| 2015-04-22 | CVE-2015-3035 published by NVD |
| 2022-03-25 | Added to CISA Known Exploited Vulnerabilities catalog |
| 2022-04-15 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| NVD — CVE-2015-3035 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |
| Exploit-DB 36862 — TP-Link Archer C2/C20i Directory Traversal | Security Research |