Description
A command injection vulnerability was identified in TP-Link TL-WR802N v4, TL-WR841N v14, and TL-WR840N v6 due to improper neutralization of special elements used in an OS command. In the router configuration import function allows an authenticated attacker to upload a crafted configuration file that results in execution of OS commands with root privileges during port-trigger processing.
Successful exploitation allows an authenticated attacker to execute system commands with root privileges, leading to full device compromise.
Published: 2026-03-13
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Full device compromise
Action: Immediate Patch
AI Analysis

Impact

A command injection vulnerability (CWE-78) exists in TP‑Link TL‑WR802N v4, TL‑WR841N v14, and TL‑WR840N v6 due to improper neutralization of special elements used in an OS command. The router configuration import function allows an authenticated attacker to upload a crafted configuration file that triggers the execution of arbitrary OS commands with root privileges during port‑trigger processing. Successful exploitation results in complete device compromise.

Affected Systems

Affected vendors/products include TP Link Systems Inc. devices TL‑WR840N v6, TL‑WR802N v4, and TL‑WR841N v14. These versions are listed in the vendor’s supported firmware downloads and listed as vulnerable in the official advisory.

Risk and Exploitability

The CVSS score of 8.5 indicates high severity. EPSS scoring indicates the probability of exploitation is low (<1%), and the vulnerability is not currently listed in the CISA KEV catalog. Attack execution requires authenticated access to the router’s configuration import feature; the attacker must possess administrative privileges to upload the malicious configuration file. Upon successful submission, the injected commands run with root rights, providing full control over the device.

Generated by OpenCVE AI on March 17, 2026 at 05:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check TP‑Link support site for latest firmware releases for TL‑WR802N, TL‑WR841N, and TL‑WR840N and upgrade the device immediately
  • Apply any available firmware patches that address command injection vulnerabilities
  • If no patch is available, disable the configuration import function or restrict it to trusted users only
  • Monitor device logs for unexpected command executions or configuration changes

Generated by OpenCVE AI on March 17, 2026 at 05:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Tp-link tl-wr802n Firmware
Tp-link tl-wr840n
Tp-link tl-wr840n Firmware
Tp-link tl-wr841n Firmware
CPEs cpe:2.3:h:tp-link:tl-wr802n:v4:*:*:*:*:*:*:*
cpe:2.3:h:tp-link:tl-wr840n:6:*:*:*:*:*:*:*
cpe:2.3:h:tp-link:tl-wr841n:14:*:*:*:*:*:*:*
cpe:2.3:o:tp-link:tl-wr802n_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:tp-link:tl-wr840n_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:tp-link:tl-wr841n_firmware:*:*:*:*:*:*:*:*
Vendors & Products Tp-link tl-wr802n Firmware
Tp-link tl-wr840n
Tp-link tl-wr840n Firmware
Tp-link tl-wr841n Firmware
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Mon, 16 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Tp-link
Tp-link tl-wr802n
Tp-link tl-wr841n
Tp Link
Tp Link tl-wr840n
Vendors & Products Tp-link
Tp-link tl-wr802n
Tp-link tl-wr841n
Tp Link
Tp Link tl-wr840n

Fri, 13 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Description A command injection vulnerability was identified in TP-Link TL-WR802N v4, TL-WR841N v14, and TL-WR840N v6 due to improper neutralization of special elements used in an OS command. In the router configuration import function allows an authenticated attacker to upload a crafted configuration file that results in execution of OS commands with root privileges during port-trigger processing. Successful exploitation allows an authenticated attacker to execute system commands with root privileges, leading to full device compromise.
Title Authenticated Command Injection on TP-Link TL-WR802N, TL-WR841N and TL-WR840N
Weaknesses CWE-78
References
Metrics cvssV4_0

{'score': 8.5, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Tp-link Tl-wr802n Tl-wr802n Firmware Tl-wr840n Tl-wr840n Firmware Tl-wr841n Tl-wr841n Firmware
Tp Link Tl-wr840n
cve-icon MITRE

Status: PUBLISHED

Assigner: TPLink

Published:

Updated: 2026-03-17T03:55:35.442Z

Reserved: 2026-02-25T20:03:19.802Z

Link: CVE-2026-3227

cve-icon Vulnrichment

Updated: 2026-03-16T15:31:32.795Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-16T14:19:47.257

Modified: 2026-04-07T01:07:52.933

Link: CVE-2026-3227

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T13:39:13Z

Weaknesses