Severity by source
CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Adjacent LAN/Wi-Fi reach to admin UI (AV:A), low complexity once authenticated (AC:L), administrator login required (PR:H), no user interaction, and full device compromise gives C/I/A:H.
Primary rating from Vendor (TPLink).
CVSS VectorVendor: TPLink
CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
An authenticated OS command injection vulnerability exists in the IPv6 PPPoE configuration handler in TL-WR940N v6 due to improper sanitization of user input. An attacker with administrative access may exploit this issue to execute arbitrary system commands with elevated privileges.
AnalysisAI
Authenticated OS command injection in the TP-Link TL-WR940N v6 router's IPv6 PPPoE configuration handler allows administrators to break out of the configuration parser and execute arbitrary shell commands with elevated (typically root) privileges on the device. The flaw was reported by TP-Link itself and a firmware fix is available; no public exploit identified at time of analysis. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires (1) network reachability to the router's management interface from the adjacent network - typically the LAN or Wi-Fi segment, per AV:A - and (2) valid administrator credentials for the web UI, per PR:H, since the vulnerable code path is the authenticated IPv6 WAN configuration handler with the connection type set to PPPoE. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 4.0 vector (AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H) and score of 8.5 paint a coherent picture: an attacker must already be on the adjacent network (LAN/Wi-Fi) and must already hold administrator credentials, but once those preconditions are met, exploitation is reliable and yields full control of the device. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has obtained the router's administrator password - for example by guessing a default/weak credential, reusing leaked credentials, or coercing an authenticated admin's browser via CSRF on the LAN - logs into the TL-WR940N v6 web UI, navigates to the IPv6 WAN connection page, selects PPPoE, and submits a connection parameter (such as the service name or username) containing shell metacharacters followed by an arbitrary command. The vulnerable handler concatenates the value into a system command, the shell executes the injected payload with the router's elevated privileges, and the attacker gains a persistent foothold on the device suitable for DNS hijacking, traffic interception, or pivoting deeper into the network. … |
| Remediation | Vendor-released patch: TL-WR940N v6 firmware build V6_260528 (or later), available from https://www.tp-link.com/en/support/download/tl-wr940n/v6/#Firmware and https://www.tp-link.com/us/support/download/tl-wr940n/v6/#Firmware, with vendor context at https://www.tp-link.com/us/support/faq/5131/ - upgrade affected devices to this build as the primary remediation. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all TP-Link TL-WR940N v6 routers in the network and document current firmware versions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Tl Wr940N V6
View allSame weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37499