Impact
The flaw is an OS command injection in the BigPond Cable (BPA) WAN configuration module of the TP‑Link TL‑WR940N router, caused by improper sanitization of user input. An attacker who can authenticate as a router administrator can execute arbitrary system commands on the device, elevating to full control of the router. This vulnerability falls under CWE‑78 and is capable of breaking confidentiality, integrity, and availability of the network.
Affected Systems
Affected devices are TP‑Link TL‑WR940N routers running firmware version 6. According to the vendor’s CNA data, no other firmware releases or models are currently reported to be impacted.
Risk and Exploitability
The CVSS score of 8.5 indicates high severity. With a 3 % EPSS score, the likelihood of exploitation is low but not negligible, and the vulnerability is not listed in the CISA KEV catalog. The injection is possible only after authenticating with administrative rights, most likely through the router’s web interface; therefore, the attack vector is inferred to be web‑based authentication. If the conditions are met, an attacker could run arbitrary commands with root privileges.
OpenCVE Enrichment