I reported this to TP-Link today.
Developers please remember to not pass unsanitized input from the internet to the command line
It's scary how vulnerable these IOT devices are- especially the ones marketed as security orientated products
Kudos to the author, nice work. It's sad that so many things are still so vulnerable. TP-Link gear is garbage; I think most people knew that already. Honestly, so is most consumer IoT/embedded gear . I did some analysis a while back and found garbage like open telnet ports, old software, and worst of all, cryptographic flaws like constant nonces and IVs. Not to mention the age-old flaw of no TLS on the management interface.