Description
An authenticated OS command injection vulnerability exists in the BigPond Cable (BPA) WAN configuration module in TL-WR940N v6 due to improper sanitization of user input. An attacker with administrative access may exploit this issue to execute arbitrary system commands with elevated privileges.
Published: 2026-06-16
Score: 8.5 High
EPSS: 2.8% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw is an OS command injection in the BigPond Cable (BPA) WAN configuration module of the TP‑Link TL‑WR940N router, caused by improper sanitization of user input. An attacker who can authenticate as a router administrator can execute arbitrary system commands on the device, elevating to full control of the router. This vulnerability falls under CWE‑78 and is capable of breaking confidentiality, integrity, and availability of the network.

Affected Systems

Affected devices are TP‑Link TL‑WR940N routers running firmware version 6. According to the vendor’s CNA data, no other firmware releases or models are currently reported to be impacted.

Risk and Exploitability

The CVSS score of 8.5 indicates high severity. With a 3 % EPSS score, the likelihood of exploitation is low but not negligible, and the vulnerability is not listed in the CISA KEV catalog. The injection is possible only after authenticating with administrative rights, most likely through the router’s web interface; therefore, the attack vector is inferred to be web‑based authentication. If the conditions are met, an attacker could run arbitrary commands with root privileges.

Generated by OpenCVE AI on June 19, 2026 at 21:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the router to the latest firmware provided by TP‑Link (v7 or later) which removes the vulnerable BPA module.
  • If a firmware update cannot be applied, disable the BigPond Cable (BPA) WAN configuration functionality or remove the module from device configuration.
  • Restrict administrative access to trusted devices and networks, use strong, unique passwords, and enable two‑factor authentication if available.

Generated by OpenCVE AI on June 19, 2026 at 21:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 08:00:00 +0000

Type Values Removed Values Added
First Time appeared Tp-link
Tp-link tl-wr940n V6
Vendors & Products Tp-link
Tp-link tl-wr940n V6

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description An authenticated OS command injection vulnerability exists in the BigPond Cable (BPA) WAN configuration module in TL-WR940N v6 due to improper sanitization of user input. An attacker with administrative access may exploit this issue to execute arbitrary system commands with elevated privileges.
Title OS Command Injection in BigPond Cable (BPA) Configuration in TP-Link TL-WR940N
Weaknesses CWE-78
References
Metrics cvssV4_0

{'score': 8.5, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}


Subscriptions

Tp-link Tl-wr940n V6
cve-icon MITRE

Status: PUBLISHED

Assigner: TPLink

Published:

Updated: 2026-06-18T03:56:12.777Z

Reserved: 2026-06-05T18:37:13.184Z

Link: CVE-2026-11410

cve-icon Vulnrichment

Updated: 2026-06-17T14:35:53.204Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T07:45:16Z

Weaknesses
  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')