External risk intelligence

TP-LINK TL-WR840N Remote Code Execution Vulnerability.

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2022-25064

The product is a consumer wireless router. Routers are designed to be deployed at the network edge, and management interfaces or services exposed by these devices are commonly reachable from the internet or the network they are intended to gateway.

OS Command Injection

Tp Link Tl Wr840n Firmware

6.20_180709

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability has been identified in a TP-Link router model that could allow unauthorized remote code execution. This issue affects how the device handles IPv6 address inputs, potentially enabling an attacker to compromise the device without any user interaction. The main concern is confirming if this specific router model is in use within our environment.

  • Remote code execution flaw in router settings.
  • Affects network edge devices, a critical security point.
  • Confirm relevance and potential exposure.

Attack Path

How an attacker could exploit the issue

An attacker could target a TP-LINK TL-WR840N router exposed to the internet by sending a specially crafted request to the `oal_wan6_setIpAddr` function. This function is susceptible to remote code execution, meaning a successful attack could allow an attacker to run arbitrary commands on the device.

  • Device exposed to the internet.
  • Triggered by a malformed IPv6 address input.
  • Allows arbitrary command execution.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an unauthenticated attacker to execute arbitrary code on the affected device when exposed to a network, potentially disrupting its intended service.

  • Router firmware and its services.
  • Remote unauthenticated network access.
  • Device compromise and network disruption.

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability affects a consumer wireless router typically deployed at the network edge, making its management interfaces potentially accessible externally. Ownership likely falls to the team managing network infrastructure and edge devices, with initial steps involving identifying all instances of the affected router, assessing their internet or business-critical exposure, and pinpointing the accountable owner for remediation planning.

  • Network infrastructure teams own the issue.
  • Verify external reachability and business impact.
  • Plan coordinated remediation based on risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is the TP-LINK TL-WR840N?

The TP-LINK TL-WR840N is a consumer wireless router used to provide Wi-Fi connectivity and manage internet traffic for home or small office networks. As a network edge device, it sits between your local devices and the wider internet, handling routing, firewalling, and various internal services. The specific firmware version 6.20_180709 is the software component identified in this vulnerability.

What is the weakness in CVE-2022-25064?

This vulnerability is classified as CWE-78, or OS Command Injection. It occurs when a program passes unsafe user input directly to a system shell. In this case, the `oal_wan6_setIpAddr` function fails to properly validate inputs, allowing an attacker to inject and execute their own malicious commands on the router's operating system instead of just processing a standard IPv6 configuration.

How is the vulnerability triggered?

An attacker triggers this flaw by sending a specially crafted, malformed IPv6 address input to the target device. Because this involves the system's input processing logic, it does not require an attacker to have a pre-existing account or administrative session on the router. Simply sending the malicious request to the vulnerable function is sufficient to potentially gain unauthorized control.

Do I need to worry about this router?

You should assess this if you have the affected TP-LINK devices in your environment. Halo Surface Signal notes that routers are often deployed at the network edge, making them highly visible to outside traffic. If your device's management interfaces or services are reachable from the internet, the risk increases because an attacker does not need to be on your local network to send the malicious request.

When should I take action for this CVE?

Start immediately by auditing your inventory to locate any TL-WR840N units running the affected firmware version. Once identified, evaluate whether those devices are exposed to the internet. Coordinate with your network infrastructure or IT management teams to restrict access to these devices and prioritize the deployment of official firmware updates or manufacturer-recommended mitigations to secure the equipment.

References