CVE-2021-41451 in AX10v1
Summary
by MITRE • 12/17/2021
A misconfiguration in HTTP/1.0 and HTTP/1.1 of the web interface in TP-Link AX10v1 before V1_211117 allows a remote unauthenticated attacker to send a specially crafted HTTP request and receive a misconfigured HTTP/0.9 response, potentially leading into a cache poisoning attack.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 07/05/2026
The vulnerability CVE-2021-41451 represents a critical HTTP protocol misconfiguration affecting the web interface of TP-Link AX10v1 routers running firmware versions prior to V1_211117. This issue stems from the router's inadequate handling of HTTP/0.9 protocol requests within its HTTP/1.1 web interface implementation, creating a dangerous protocol boundary condition that adversaries can exploit to manipulate the device's caching mechanisms. The flaw exists at the application layer where the web server component fails to properly validate and sanitize incoming HTTP requests that do not conform to the expected HTTP/1.1 protocol standards, allowing legacy HTTP/0.9 packets to traverse the system unfiltered.
The technical exploitation of this vulnerability occurs through the deliberate crafting of HTTP/0.9 packets that are sent to the affected TP-Link router's web interface. These packets contain specific formatting that bypasses normal HTTP/1.1 parsing mechanisms, allowing them to be processed by the web server's cache handling components. When the router processes these malformed requests, the cache poisoning mechanism becomes compromised, enabling attackers to inject malicious content into the router's cache storage. This cache poisoning can be leveraged to redirect users to malicious websites, inject malicious scripts, or manipulate web content served by the router's internal web interface, effectively compromising the device's integrity and the security of connected users.
The operational impact of this vulnerability extends beyond simple cache manipulation, as it fundamentally undermines the trust model of the router's web interface and creates persistent attack vectors that can be exploited by remote adversaries. The vulnerability affects the router's ability to maintain secure communication channels and can lead to unauthorized access to administrative functions, as well as provide a foothold for more sophisticated attacks within the local network. The cache poisoning attack can persist even after the initial exploit attempt, making it particularly dangerous for network security as it can compromise the router's web interface for extended periods without requiring repeated exploitation attempts. This vulnerability directly maps to CWE-444, which describes improper handling of HTTP requests, and aligns with ATT&CK technique T1190, which covers exploiting vulnerabilities in web applications.
Mitigation strategies for this vulnerability require immediate firmware updates from TP-Link to address the HTTP protocol handling inconsistencies in the web interface implementation. Network administrators should also implement network segmentation and access controls to limit exposure of affected devices to untrusted networks. Additional protective measures include deploying web application firewalls to detect and block malformed HTTP requests, implementing network monitoring to identify unusual traffic patterns that might indicate exploitation attempts, and establishing regular vulnerability assessments to identify similar protocol boundary issues in other network devices. The vulnerability highlights the importance of proper HTTP protocol compliance in embedded web servers and demonstrates how legacy protocol support can create security risks in modern network infrastructure components.