A zero-day bug has been uncovered in the TP-Link SR20 smart hub and home router. It would allow a local adversary to execute arbitrary commands on the device without authentication and establish a backdoor for remote access. Google developer Matthew Garrett, who found and reported the flaw, said it’s been 90 days since he reported it to the company, but no one has responded to the bug. The problem lies in a protocol that runs with root privileges on many TP-link routers, Garrett said.
Source: https://threatpost.com/zero-day-tp-link-smart-home-router/143266/