cbcvebase.
CVE-2018-11714
published 2018-06-04

CVE-2018-11714: An issue was discovered on TP-Link TL-WR840N v5 00000005 0.9.1 3.16 v0001.0 Build 170608 Rel.58696n and TL-WR841N v13 00000013 0.9.1 4.16 v0001.0 Build 170622…

PriorityP187critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
36.52%
98.3th percentile
An issue was discovered on TP-Link TL-WR840N v5 00000005 0.9.1 3.16 v0001.0 Build 170608 Rel.58696n and TL-WR841N v13 00000013 0.9.1 4.16 v0001.0 Build 170622 Rel.64334n devices. This issue is caused by improper session handling on the /cgi/ folder or a /cgi file. If an attacker sends a header of "Referer: http://192.168.0.1/mainFrame.htm" then no authentication is required for any action.

Affected

2 ranges
VendorProductVersion rangeFixed in
tp-linktl-wr840n_firmware
tp-linktl-wr841n_firmware

Detection & IOCsextracted from sources · hover to see the quote

cookieAuthorization;
urlhttp://192.168.0.1/mainFrame.htm
path/cgi/
commandcurl 'http://tplinkwifi.net/' -H 'Connection: keep-alive' -H 'Cache-Control: max-age=0' -H 'Upgrade-Insecure-Requests: 1' -H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8' -H 'Referer: http://tplinkwifi.net/' -H 'Accept-Encoding: gzip, deflate' -H 'Accept-Language: en-US,en;q=0.9' -H 'Cookie: Authorization;' --compressed
  • Detect authentication bypass attempts by monitoring HTTP requests to /cgi/ paths that include a spoofed Referer header matching 'http://192.168.0.1/mainFrame.htm', 'tplinkwifi.net', or 'tplinklogin.net' without a valid session.
  • Alert on HTTP requests containing a Cookie header value of exactly 'Authorization;' (with trailing semicolon and no value), which triggers a DoS crash of the httpd service on affected TP-Link devices.
  • Detect CSRF exploitation attempts by monitoring for HTTP Referer headers where the domain begins with 'tplinkwifi.net' or 'tplinklogin.net' but is followed by additional characters (e.g. 'tplinkwifi.net.drive-by-attack.com'), indicating abuse of the incomplete strncmp whitelist check.
  • Monitor for HTTP Referer headers containing a non-HTTP protocol string (e.g. a bare word like 'DOS') sent to TP-Link router admin interfaces, which triggers a NULL pointer dereference crash in http_parser_main.
  • ·The authentication bypass (CVE-2018-11714) is triggered by spoofing the HTTP Referer header to match whitelisted values ('tplinkwifi.net', 'tplinklogin.net', or the router's IP). The whitelist check uses strncmp with a length derived from these strings, meaning only the first N characters are compared — a subdomain or extended domain can bypass it.
  • ·Affected firmware versions are specifically TL-WR840N v5 Build 170608 Rel.58696n and TL-WR841N v13 Build 170622 Rel.64334n; detections should be scoped to these device/firmware combinations.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.