cbcvebase.
CVE-2022-25061
published 2022-02-25

CVE-2022-25061: TP-LINK TL-WR840N(ES)_V6.20_180709 was discovered to contain a command injection vulnerability via the component oal_setIp6DefaultRoute.

PriorityP182critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
72.50%
99.4th percentile
TP-LINK TL-WR840N(ES)_V6.20_180709 was discovered to contain a command injection vulnerability via the component oal_setIp6DefaultRoute.

Affected

1 ranges
VendorProductVersion rangeFixed in
tp-linktl-wr840n_firmware

Detection & IOCsextracted from sources · hover to see the quote

url/cgi?2
path/tmp/{{filename}}.txt
commandcat /etc/passwd > /tmp/{{filename}}.txt
commandcat /proc/cpuinfo >> /tmp/{{filename}}.txt
yara
regex: root:[x*]:0:0
  • Exploit targets POST /cgi?2 endpoint with Content-Type: text/plain and a structured body using CWMP-style object notation (e.g., [NOIP_DNS_CFG#...] and [L3_IP6_FORWARDING#...]) to inject commands into fields such as userName, password, userDomain, __ifName.
  • Command injection payload is delivered via semicolon-delimited shell commands embedded in CWMP object field values (userName, password, userDomain, __ifName). Look for semicolons surrounding shell commands in POST body fields to /cgi?2.
  • Second-stage exploitation uses the L3_IP6_FORWARDING object with __ifName field for command injection via the oal_setIp6DefaultRoute component.
  • Shodan query to identify exposed TP-Link TL-WR840N management interfaces: title:"TL-WR840N"
  • Successful exploitation is confirmed by presence of 'root:[x*]:0:0' pattern in HTTP 200 response body, indicating /etc/passwd content was read and returned.
  • ·Exploitation requires valid credentials (HTTP Basic Auth). The vulnerability is authenticated, meaning an attacker must first obtain or know the router's username and password.
  • ·The vulnerability is specific to firmware version TL-WR840N(ES)_V6.20_180709 (CPE: cpe:2.3:o:tp-link:tl-wr840n_firmware:6.20_180709). Other firmware versions may not be affected.
  • ·The exploit uses a randomly generated 3-character lowercase filename as a temporary staging file in /tmp/. Detection based on specific filenames will not be reliable; focus on the command injection pattern instead.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.