Skip to main content

TP-Link TL-WR940N EUVDEUVD-2026-37499

| CVE-2026-11409 HIGH
OS Command Injection (CWE-78)
2026-06-16 TPLink
8.5
CVSS 4.0 · Vendor: TPLink
Share

Severity by source

Vendor (TPLink) PRIMARY
8.5 HIGH
CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.8 MEDIUM

Adjacent LAN/Wi-Fi reach to admin UI (AV:A), low complexity once authenticated (AC:L), administrator login required (PR:H), no user interaction, and full device compromise gives C/I/A:H.

3.1 AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
4.0 AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (TPLink).

CVSS VectorVendor: TPLink

CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 23:46 vuln.today

DescriptionCVE.org

An authenticated OS command injection vulnerability exists in the IPv6 PPPoE configuration handler in TL-WR940N v6 due to improper sanitization of user input. An attacker with administrative access may exploit this issue to execute arbitrary system commands with elevated privileges.

AnalysisAI

Authenticated OS command injection in the TP-Link TL-WR940N v6 router's IPv6 PPPoE configuration handler allows administrators to break out of the configuration parser and execute arbitrary shell commands with elevated (typically root) privileges on the device. The flaw was reported by TP-Link itself and a firmware fix is available; no public exploit identified at time of analysis. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Reach router admin UI on LAN/Wi-Fi
Delivery
Authenticate with admin credentials
Exploit
Open IPv6 WAN PPPoE config page
Install
Submit PPPoE field with shell metacharacters
C2
Vulnerable handler invokes shell with injected payload
Execute
Arbitrary commands run with elevated privileges
Impact
Persist on router for interception or pivoting

Vulnerability AssessmentAI

Exploitation Exploitation requires (1) network reachability to the router's management interface from the adjacent network - typically the LAN or Wi-Fi segment, per AV:A - and (2) valid administrator credentials for the web UI, per PR:H, since the vulnerable code path is the authenticated IPv6 WAN configuration handler with the connection type set to PPPoE. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 4.0 vector (AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H) and score of 8.5 paint a coherent picture: an attacker must already be on the adjacent network (LAN/Wi-Fi) and must already hold administrator credentials, but once those preconditions are met, exploitation is reliable and yields full control of the device. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained the router's administrator password - for example by guessing a default/weak credential, reusing leaked credentials, or coercing an authenticated admin's browser via CSRF on the LAN - logs into the TL-WR940N v6 web UI, navigates to the IPv6 WAN connection page, selects PPPoE, and submits a connection parameter (such as the service name or username) containing shell metacharacters followed by an arbitrary command. The vulnerable handler concatenates the value into a system command, the shell executes the injected payload with the router's elevated privileges, and the attacker gains a persistent foothold on the device suitable for DNS hijacking, traffic interception, or pivoting deeper into the network. …
Remediation Vendor-released patch: TL-WR940N v6 firmware build V6_260528 (or later), available from https://www.tp-link.com/en/support/download/tl-wr940n/v6/#Firmware and https://www.tp-link.com/us/support/download/tl-wr940n/v6/#Firmware, with vendor context at https://www.tp-link.com/us/support/faq/5131/ - upgrade affected devices to this build as the primary remediation. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all TP-Link TL-WR940N v6 routers in the network and document current firmware versions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-37499 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy