COOEY // HUBcompliance · community · intelligence

FAIL › dossier

tl-wr840n product

· dossier confidence 0%

TP-Link TL-WR840N firmware contains multiple critical RCE vulnerabilities discovered in 2021 and 2022, posing significant risk to network infrastructure.

4
failure events
0
zero-days
4
RCEs
0
on KEV
4
critical
50
worst shame

Profile

Category
product
What they do
TP-Link TL-WR840N is a consumer-grade wireless router manufactured by TP-Link, a subsidiary of Digi International.

Security posture

Critical vulnerabilities (RCE) were discovered in firmware versions V6.20 and V5, indicating a pattern of unpatched command injection flaws in network management functions.

Notable failures
  • CVE-2022-25061: RCE via oal_setIp6DefaultRoute
  • CVE-2022-25060: RCE via oal_startPing
  • CVE-2022-25064: RCE via oal_wan6_setIpAddr
  • CVE-2021-41653: RCE via crafted IP payload in PING function
Patterns
repeated unpatched edge-device RCEs; command injection in network management components

Failure history 4 events

DateEventSevFlagsShameSummary
2022-02-25 CVE-2022-25061 critical ⚡RCE 50 TP-LINK TL-WR840N(ES)_V6.20_180709 was discovered to contain a command injection vulnerability via the component oal_setIp6DefaultRoute.
2022-02-25 CVE-2022-25060 critical ⚡RCE 50 TP-LINK TL-WR840N(ES)_V6.20_180709 was discovered to contain a command injection vulnerability via the component oal_startPing.
2022-02-25 CVE-2022-25064 critical ⚡RCE 50 TP-LINK TL-WR840N(ES)_V6.20_180709 was discovered to contain a remote code execution (RCE) vulnerability via the function oal_wan6_setIpAddr.
2021-11-13 CVE-2021-41653 critical ⚡RCE 50 The PING function on the TP-Link TL-WR840N EU v5 router with firmware through TL-WR840N(EU)_V5_171211 is vulnerable to remote code execution via a crafted payload in an IP address input field.

Dossier sources

Open questions: TP-Link corporate entity details not found in provided web sources · No specific website URL for TP-Link TL-WR840N found in provided web sources