CVE-2022-25064

CRITICAL EXPLOITED

TP-LINK TL-WR840N(ES)_V6.20_180709 - Remote Code Execution via oal_wan6_setIpAddr Function

Title source: llm

Exploitation Summary

CVE-2022-25064 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 2 public exploits from researchers including Mr-xn, exploitwritter.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2022-25064, a remote command execution vulnerability in TP-LINK TL-WR840N routers. The exploit leverages command injection via the `X_TP_ExternalIPv6Address` parameter in a crafted HTTP POST request to execute arbitrary commands on the target device.

Description

TP-LINK TL-WR840N(ES)_V6.20_180709 was discovered to contain a remote code execution (RCE) vulnerability via the function oal_wan6_setIpAddr.

Exploits (2)

nomisec WORKING POC 21 stars

by Mr-xn · poc

https://github.com/Mr-xn/CVE-2022-25064

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2022-25064, a remote command execution vulnerability in TP-LINK TL-WR840N routers. The exploit leverages command injection via the `X_TP_ExternalIPv6Address` parameter in a crafted HTTP POST request to execute arbitrary commands on the target device.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: TP-LINK TL-WR840N

Auth required

Prerequisites: Network access to the target router · Valid administrator credentials for the router

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by exploitwritter · poc

https://github.com/exploitwritter/CVE-2022-25064

View Code ZIP pw:eip

This exploit leverages a command injection vulnerability in TP-Link WR840N routers via the IPv6 configuration function. It sends a crafted payload to execute arbitrary commands, including downloading and executing a reverse shell binary.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: TP-Link WR840N router

Auth required

Prerequisites: Router IP address · Admin credentials · TFTP server for payload delivery

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Product x_refsource_misc

http://tp-link.com

Not Applicable, URL Repurposed x_refsource_misc

http://router.com

Exploit, Third Party Advisory x_refsource_misc

https://east-trowel-102.notion.site/CVE-2021-XXXX-rce-via-crafted-payload-in-an-ipv6-address-input-field-hidden-EN-98e24b6f841043fba17ec4627c34f5d1

Scores

CVSS v3 9.8

EPSS 0.3978

EPSS Percentile 98.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2024-07-25

CWE

CWE-78

Status published

Products (1)

tp-link/tl-wr840n_firmware 6.20_180709

Published Feb 25, 2022

Tracked Since Feb 18, 2026