From the “What were they thinking?!” department…
“The expert says that when a browser sends an HTTP GET request to
the contacted router will establish a connection back to the visitor’s IP and contact any TFTP server there.”
So, any organization using BYOD with such a router gives away the store. Wirelessly, too… I wonder if this is a stupid decision by TP-Link or some scammer got to someone in the organization. Heads should roll on this one. It’s potentially a financial/legal/brand killer of TP-Link and they did not even bother to respond to a private disclosure. Some people are smart to use GNU/Linux for obvious reasons but there’s no assurance they will be smart in how they use it. A backdoor to import random executables is not smart. Security by obscurity is no security at all. A router with no security should not be on the market.