FAIL › dossier
· dossier confidence 20%
TP-Link is a major wireless networking vendor with a significant security track record of critical RCE vulnerabilities in consumer routers that have been actively exploited by threat actors.
TP-Link has a history of critical remote code execution (RCE) vulnerabilities in consumer routers, including command injection and buffer overflow flaws in firmware components.
| Date | Event | Sev | Flags | Shame | Summary |
|---|---|---|---|---|---|
| 2022-08-23 | CVE-2021-42232 | critical | ⚡RCE | 50 | TP-Link Archer A7 Archer A7(US)_V5_210519 is affected by a command injection vulnerability in /usr/bin/tddp. The vulnerability is caused by the program taking part of the received data packet as part of the command. This will cause an attacker to execute arbitrary commands on the |
| 2022-02-25 | CVE-2022-25061 | critical | ⚡RCE | 50 | TP-LINK TL-WR840N(ES)_V6.20_180709 was discovered to contain a command injection vulnerability via the component oal_setIp6DefaultRoute. |
| 2022-02-25 | CVE-2022-25060 | critical | ⚡RCE | 50 | TP-LINK TL-WR840N(ES)_V6.20_180709 was discovered to contain a command injection vulnerability via the component oal_startPing. |
| 2022-02-25 | CVE-2022-25064 | critical | ⚡RCE | 50 | TP-LINK TL-WR840N(ES)_V6.20_180709 was discovered to contain a remote code execution (RCE) vulnerability via the function oal_wan6_setIpAddr. |
| 2021-11-13 | CVE-2021-41653 | critical | ⚡RCE | 50 | The PING function on the TP-Link TL-WR840N EU v5 router with firmware through TL-WR840N(EU)_V5_171211 is vulnerable to remote code execution via a crafted payload in an IP address input field. |
| 2023-06-16 | CVE-2023-34832 | critical | 35 | TP-Link Archer AX10(EU)_V1.2_230220 was discovered to contain a buffer overflow via the function FUN_131e8 - 0x132B4. | |
| 2026-03-20 | CVE-2025-15608 | critical | — | CVE-2025-15608: This vulnerability in AX53 v1, AX55 v4 and AX55 v4.6 results from insufficient i |
Open questions: TP-Link's patch management process for enterprise-grade firmware · TP-Link's compliance with CMMC requirements for defense contractors