Hackers are actively exploiting vulnerabilities in popular TP-Link routers, which have tens of thousands of reviews on Amazon. A US cyber watchdog is urging users to ditch old router models that won’t get security updates.
The Cybersecurity and Infrastructure Security Agency (CISA) has updated its Known Exploited Vulnerabilities Catalog with a TP-Link command injection vulnerability.
While the flaw was discovered two years ago, the current addition means that cybercriminals have been actively exploiting it recently.
The command injection vulnerability is considered highly severe and has an assigned score of 8.8 out of 10. It allows attackers to execute commands on routers without proper authorization.
“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risk to the federal enterprise,” CISA warns.
The affected series are very popular in the consumer market.
The first affected model is the TP-Link TL-WR940N 450Mbps router, specifically versions V2/V4. These hardware versions have already reached their end of life, meaning they won’t receive any security updates.
The mode, likely with newer hardware versions, is still available to purchase and has over 9,000 positive reviews on Amazon.
The last available firmware versions for the affected versions were released in 2016.
Even more popular is the TP-Link TL-WR841N. CISA warns about vulnerable versions V8/V10, that received last firmware updates in 2015.
With over 77,000 reviews, this old model is still ranked 165th among Computer Routers on Amazon. It was first available in December of 2005, and versions up to V11 have reached end-of-life.
TP-Link TL-WR740N versions V1/V2 also share the vulnerability; all versions of this router are currently end-of-life. The specified versions haven’t been updated for 15 years now.
“Users should discontinue product utilization,” CISA warns.
The proof-of-concept exploits are widely available online. The vulnerability lies in the routers’ web management interfaces. When they process a specific parameter in a GET request, they fail to properly validate user input, enabling hackers to inject malicious commands.
While these types of flaws are the most dangerous on publicly exposed routers with remote access features, attackers can also exploit them from within the same local network.
Federal agencies must remove these routers from their network by July 7th, 2025, and CISA urges all organizations to follow suit.
Your email address will not be published. Required fields are markedmarked