Impact
An authenticated OS command injection flaw exists in the IPv6 PPPoE configuration handler of TP‑Link TL‑WR940N v6. Unsanitized user input allows an attacker who has administrative rights to inject and execute arbitrary system commands, leading to full system compromise with elevated privileges. The vulnerability directly affects the confidentiality, integrity, and availability of the device and any network resources it manages.
Affected Systems
TP‑Link Systems Inc. product TL‑WR940N v6 is affected. No other products or additional version ranges are listed, so only the v6 firmware revision is vulnerable.
Risk and Exploitability
The CVSS score of 8.5 indicates a high severity. The EPSS score of 3% indicates a low but non‑zero probability of exploitation at the time of analysis. The vulnerability is not present in the CISA KEV catalog. Exploitation requires authenticated administrative access, implying that an attacker must first gain or already possess such access. Once the base privilege is achieved, the attacker can execute arbitrary commands remotely on the router.
OpenCVE Enrichment