Severity by source
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Adjacent network DHCP attack with no auth or user interaction; unsanitized option parsing yields straightforward command injection as root, giving full CIA impact on the router itself.
Primary rating from Vendor (TPLink).
CVSS VectorVendor: TPLink
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A command injection vulnerability has been identified in the DHCP option processing logic in multiple TP-Link router models, due to insufficient validation of externally supplied DHCP option data. An adjacent attacker may exploit this vulnerability by supplying crafted DHCP responses, potentially resulting in unauthorized command execution during device initialization or provisioning workflows. This typically occurs when the device is in a factory-default or unconfigured state.
Successful exploitation may allow an adjacent, unauthenticated attacker to execute arbitrary commands with elevated privileges, potentially leading to full compromise of the affected device and unauthorized administrative control.
AnalysisAI
Command injection in TP-Link Archer and TL-MR series routers allows an adjacent unauthenticated attacker on the same broadcast domain to execute arbitrary commands with elevated privileges by supplying crafted DHCP option responses. The flaw resides in DHCP client option processing during device initialization and is most reliably triggered when the router is in factory-default or unconfigured state. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Attacker must be on the same broadcast/L2 segment as the router's DHCP-client interface (AV:A) - typically the WAN side on LTE/DSL gateway models or any segment where the device performs DHCP during provisioning. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | CVSS 4.0 base score 8.7 reflects adjacent network attack (AV:A), low complexity, no authentication, no user interaction, and full CIA impact on the vulnerable system - consistent with a router being fully compromised by a malicious DHCP server on the same L2 segment. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker on the same Layer-2 segment as a freshly reset or newly deployed TP-Link router (for example, a malicious neighbor on a shared apartment-building ISP segment, or a rogue host on a SOHO LAN during initial setup) runs a rogue DHCP server that races the legitimate one. When the router requests DHCP options during provisioning, the rogue server returns crafted option values containing shell metacharacters, causing the router to execute the embedded commands as root and yielding full administrative control of the device. |
| Remediation | Patch available per vendor advisory: install the latest firmware for the specific affected model from the TP-Link support pages (https://www.tp-link.com/us/support/faq/5141/ and the per-model firmware downloads for Archer C20, MR200, MR402, VR2100, and TL-MR6400 v7). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all TP-Link Archer and TL-MR series routers deployed and document current firmware versions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38339
GHSA-w296-94hj-pfcg