CVE-2019-6487

HIGH

TP-Link WDR Series < 3.0 - Authenticated Remote Code Execution via Weather Citycode Field

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-6487. PoCs published by afang5472.

AI-analyzed exploit summary This PoC exploits a command injection vulnerability in TP-Link WDR5620-V3.0 routers by injecting a command into the 'citycode' parameter of a JSON payload, which is then executed on the router. The result of the command (e.g., 'whoami') is written to a file and retrieved via an HTTP GET request.

Description

TP-Link WDR Series devices through firmware v3 (such as TL-WDR5620 V3.0) are affected by command injection (after login) leading to remote code execution, because shell metacharacters can be included in the weather get_weather_observe citycode field.

Exploits (1)

nomisec WORKING POC 40 stars
by afang5472 · poc
https://github.com/afang5472/TP-Link-WDR-Router-Command-injection_POC

This PoC exploits a command injection vulnerability in TP-Link WDR5620-V3.0 routers by injecting a command into the 'citycode' parameter of a JSON payload, which is then executed on the router. The result of the command (e.g., 'whoami') is written to a file and retrieved via an HTTP GET request.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: TP-Link WDR5620-V3.0
Auth required
Prerequisites: Network access to the router · Valid login token (stok)
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1

Scores

CVSS v3 8.8
EPSS 0.0852
EPSS Percentile 94.3%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-78
Status published
Products (5)
tp-link/tl-wdr3500_firmware < 3.0
tp-link/tl-wdr3600_firmware < 3.0
tp-link/tl-wdr4300_firmware < 3.0
tp-link/tl-wdr4900_firmware < 3.0
tp-link/tl-wdr5620_firmware < 3.0
Published Jan 18, 2019
Tracked Since Feb 18, 2026