CVE-2018-11714

CRITICAL EXPLOITED

TP-Link TL-WR840N/TL-WR841N <5 - Info Disclosure

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2018-11714 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 3 public exploits from researchers including BlackFog Team, mikelkarma.

AI-analyzed exploit summary This exploit demonstrates an authentication bypass vulnerability in TP-Link routers (TL-WR840N and TL-WR841N) by manipulating the Referer header to access sensitive endpoints without authentication. It includes examples for downloading configuration files, enabling port forwarding, rebooting the router, and modifying WiFi settings.

Description

An issue was discovered on TP-Link TL-WR840N v5 00000005 0.9.1 3.16 v0001.0 Build 170608 Rel.58696n and TL-WR841N v13 00000013 0.9.1 4.16 v0001.0 Build 170622 Rel.64334n devices. This issue is caused by improper session handling on the /cgi/ folder or a /cgi file. If an attacker sends a header of "Referer: http://192.168.0.1/mainFrame.htm" then no authentication is required for any action.

Exploits (3)

exploitdb WORKING POC
by BlackFog Team · textwebappshardware
https://www.exploit-db.com/exploits/44781

This exploit demonstrates an authentication bypass vulnerability in TP-Link routers (TL-WR840N and TL-WR841N) by manipulating the Referer header to access sensitive endpoints without authentication. It includes examples for downloading configuration files, enabling port forwarding, rebooting the router, and modifying WiFi settings.

Classification
Working Poc 100%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: TP-Link TL-WR840N v5, TL-WR841N v13 (Firmware Version: 0.9.1 3.16/4.16)
No auth needed
Prerequisites: Network access to the router's web interface · Knowledge of the router's IP address
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by mikelkarma · infoleak
https://github.com/mikelkarma/cve-2018-11714_POC

This PoC exploits an authentication bypass vulnerability in TP-Link TL-WR840N routers by sending a crafted Referer header to download the configuration file. It then decrypts the configuration file using OpenSSL with a hardcoded DES-ECB key.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: TP-Link TL-WR840N
No auth needed
Prerequisites: Network access to the target router · Router IP address
devstral-2 · analyzed Feb 16, 2026 Full analysis →
vulncheck_xdb WORKING POC
infoleak
https://github.com/wiliam227user/CVE-2018-12633-TPLink-Auth-Bypass

This repository contains a functional exploit for CVE-2018-12633, an authentication bypass vulnerability in TP-Link TL-WR840N routers. The exploit manipulates the HTTP Referer header to bypass authentication and dump the router's configuration file, which can then be decrypted using the provided Python script.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: TP-Link TL-WR840N (Firmware ~June 2018)
No auth needed
Prerequisites: Network access to the target router · Curl installed on the attacker's machine
devstral-2 · analyzed Feb 25, 2026 Full analysis →

References (2)

Core 2
Core References
Exploit, Third Party Advisory x_refsource_misc
http://blog.securelayer7.net/time-to-disable-tp-link-home-wifi-router/
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/44781/

Scores

CVSS v3 9.8
EPSS 0.3652
EPSS Percentile 98.3%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2025-10-09
CWE
CWE-384
Status published
Products (2)
tp-link/tl-wr840n_firmware 0.9.1_3.16
tp-link/tl-wr841n_firmware 0.9.1_4.16
Published Jun 04, 2018
Tracked Since Feb 18, 2026