Widespread Exploitation of TP-Link Router Vulnerabilities
Attackers are actively targeting several popular TP-Link routers in the consumer market, exploiting severe security flaws that have put countless users at risk. The Cybersecurity and Infrastructure Security Agency (CISA) has issued urgent warnings about a command injection vulnerability that allows unauthorized attackers to execute arbitrary commands on affected routers. This vulnerability, rated 8.8 out of 10 in severity, is now listed in CISA’s Known Exploited Vulnerabilities Catalog, signaling that it is being leveraged in real-world attacks.
Impacted TP-Link Router Models and Versions
TP-Link TL-WR940N 450Mbps: End-of-Life and Exposed
The TP-Link TL-WR940N 450Mbps router, specifically versions V2 and V4, is among the most affected. These hardware versions have reached end-of-life status, meaning they no longer receive security updates or patches. Despite this, the model remains widely available for purchase, boasting over 9,000 positive reviews on Amazon. The last firmware updates for these vulnerable versions were released in 2016, leaving them open to exploitation.
TP-Link TL-WR841N: High Popularity, High Risk
The TL-WR841N model, particularly versions V8 and V10, is also vulnerable. Firmware support for these versions ended in 2015, and all versions up to V11 are now end-of-life. With over 77,000 reviews and a high ranking among computer routers on Amazon, this model remains in widespread use, amplifying the scale of the security risk.
TP-Link TL-WR740N: Outdated Hardware, Persistent Threat
All versions of the TP-Link TL-WR740N, especially V1 and V2, are impacted by the same vulnerability. These routers have not received any firmware updates in over 15 years, leaving them defenseless against modern cyber threats. As with the other models, the absence of updates means that any discovered vulnerabilities remain unpatched and exploitable.
Technical Details of the Command Injection Vulnerability
Exploitation Through Web Management Interfaces
The critical vulnerability resides in the routers’ web management interfaces. Attackers exploit improper input validation when processing specific parameters in GET requests. This flaw enables hackers to inject malicious commands, gaining unauthorized control over the device. Proof-of-concept exploits are widely accessible online, making it easier for cybercriminals to target vulnerable devices.
Attack Vectors: Remote and Local Network Risks
The risk is particularly high for routers exposed to the internet with remote access features enabled. However, attackers can also compromise devices from within the same local network, meaning even users who do not expose their routers to the internet are not immune. This broadens the attack surface and increases the urgency for mitigation.
Official Warnings and Required Actions
CISA’s Directive for Federal and Private Networks
CISA has mandated that all federal agencies remove the affected TP-Link routers from their networks by July 7th, 2025. The agency strongly urges all organizations and individual users to discontinue use of these outdated models immediately. The continued use of unsupported hardware creates significant vulnerabilities, not only for individuals but also for larger organizational and federal networks.
End-of-Life Status and Security Update Limitations
End-of-life hardware no longer receives critical security updates, making it an ongoing target for cybercriminals. Users are advised to replace these routers with newer, supported models to maintain network security and prevent unauthorized access.
Frequently Asked Questions
Q1: Which TP-Link router models are currently at the highest risk?
A1: The most at-risk models are the TP-Link TL-WR940N (V2/V4), TL-WR841N (V8/V10), and TL-WR740N (V1/V2), all of which have reached end-of-life and no longer receive security updates.
Q2: How do attackers exploit the vulnerability in these routers?
A2: Attackers use the routers’ web management interface to send specially crafted GET requests that exploit improper input validation, allowing them to inject malicious commands and gain unauthorized control.
Q3: What should users do if they own one of the affected routers?
A3: Users should immediately discontinue use of these routers and replace them with supported models that receive regular security updates. Keeping outdated hardware increases the risk of compromise.
