CVE-2022-25061
published 2022-02-25CVE-2022-25061: TP-LINK TL-WR840N(ES)_V6.20_180709 was discovered to contain a command injection vulnerability via the component oal_setIp6DefaultRoute.
PriorityP182critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
72.50%
99.4th percentile
TP-LINK TL-WR840N(ES)_V6.20_180709 was discovered to contain a command injection vulnerability via the component oal_setIp6DefaultRoute.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| tp-link | tl-wr840n_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
yara↗
regex: root:[x*]:0:0
- →Exploit targets POST /cgi?2 endpoint with Content-Type: text/plain and a structured body using CWMP-style object notation (e.g., [NOIP_DNS_CFG#...] and [L3_IP6_FORWARDING#...]) to inject commands into fields such as userName, password, userDomain, __ifName. ↗
- →Command injection payload is delivered via semicolon-delimited shell commands embedded in CWMP object field values (userName, password, userDomain, __ifName). Look for semicolons surrounding shell commands in POST body fields to /cgi?2. ↗
- →Second-stage exploitation uses the L3_IP6_FORWARDING object with __ifName field for command injection via the oal_setIp6DefaultRoute component. ↗
- →Shodan query to identify exposed TP-Link TL-WR840N management interfaces: title:"TL-WR840N" ↗
- →Successful exploitation is confirmed by presence of 'root:[x*]:0:0' pattern in HTTP 200 response body, indicating /etc/passwd content was read and returned. ↗
- ·Exploitation requires valid credentials (HTTP Basic Auth). The vulnerability is authenticated, meaning an attacker must first obtain or know the router's username and password. ↗
- ·The vulnerability is specific to firmware version TL-WR840N(ES)_V6.20_180709 (CPE: cpe:2.3:o:tp-link:tl-wr840n_firmware:6.20_180709). Other firmware versions may not be affected. ↗
- ·The exploit uses a randomly generated 3-character lowercase filename as a temporary staging file in /tmp/. Detection based on specific filenames will not be reliable; focus on the command injection pattern instead. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
TP-Link TL-WR840N - Command Injection
nuclei·CVSS 9.8
CVE-2022-25061 [CRITICAL] TP-Link TL-WR840N - Command Injection
TP-Link TL-WR840N - Command Injection
The TP-Link TL-WR840N(ES)_V6.20_180709 router contains a command injection vulnerability in the oal_setIp6DefaultRoute component. This vulnerability allows authenticated attackers to execute arbitrary system commands, leading to complete device compromise.
Template:
id: CVE-2022-25061
info:
name: TP-Link TL-WR840N - Command Injection
author: ritikchaddha
severity: critical
description: |
The TP-Link TL-WR840N(ES)_V6.20_180709 router contains a command injection vulnerability in the oal_setIp6DefaultRoute component. This vulnerability allows authenticated attackers to execute arbitrary system commands, leading to complete device compromise.
impact: |
Authenticated attackers can inject system commands through the oal_setIp6DefaultRoute component to e
No writeups or analysis indexed.
http://router.comhttp://tp-link.comhttps://east-trowel-102.notion.site/CVE-2021-XXXX-Injection-of-commands-through-object-oal_setIp6DefaultRoute-EN-ddf9c1db199d49829269147ada6cb312http://router.comhttp://tp-link.comhttps://east-trowel-102.notion.site/CVE-2021-XXXX-Injection-of-commands-through-object-oal_setIp6DefaultRoute-EN-ddf9c1db199d49829269147ada6cb312
2022-02-25
Published