CVE-2022-48194

HIGH

TP-Link TL-WR902AC Firmware < 3.0.9.1 - Authenticated Remote Code Execution via Crafted Firmware Update

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2022-48194. PoCs published by Tobias Müller, otsmr.

AI-analyzed exploit summary This exploit constructs a malicious firmware image for TP-Link TL-WR902AC by embedding a backdoor (netcat reverse shell) into the firmware's init scripts, then uploads it to the device via authenticated HTTP requests. It leverages AES and RSA encryption for session handling and firmware signing.

Description

TP-Link TL-WR902AC devices through V3 0.9.1 allow remote authenticated attackers to execute arbitrary code or cause a Denial of Service (DoS) by uploading a crafted firmware update because the signature check is inadequate.

Exploits (2)

exploitdb WORKING POC

by Tobias Müller · pythonremotehardware

https://www.exploit-db.com/exploits/51192

View Code ZIP pw:eip

This exploit constructs a malicious firmware image for TP-Link TL-WR902AC by embedding a backdoor (netcat reverse shell) into the firmware's init scripts, then uploads it to the device via authenticated HTTP requests. It leverages AES and RSA encryption for session handling and firmware signing.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Complex

Reliability

Reliable

Target: TP-Link TL-WR902AC firmware 210730 (V3) Build 220329

Auth required

Prerequisites: Admin credentials for the router · Network access to the router's web interface · Tools: binwalk, fakeroot, unsquashfs, mksquashfs

MITRE ATT&CK

T1210 - Exploitation of Remote Services T1587 - Develop Capabilities

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 19 stars

by otsmr · poc

https://github.com/otsmr/internet-of-vulnerable-things

View Code ZIP pw:eip

This PoC exploits CVE-2022-48194, a firmware update vulnerability in TP-Link TL-WR902AC routers, allowing authenticated attackers to execute arbitrary code via a crafted firmware update. The exploit automates the process of downloading, modifying, and uploading malicious firmware to achieve RCE.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: TP-Link TL-WR902AC V3 0.9.1 and earlier

Auth required

Prerequisites: Authenticated access to the router · Router firmware download URL · Tools like binwalk, unsquashfs, and mksquashfs

MITRE ATT&CK

T1189 - Drive-by Compromise T1210 - Exploitation of Remote Services

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Exploit, Third Party Advisory

https://github.com/otsmr/internet-of-vulnerable-things/tree/main/exploits

View Exploit ZIP pw:eip

Exploit, Third Party Advisory

http://packetstormsecurity.com/files/171623/TP-Link-TL-WR902AC-Remote-Code-Execution.html

Scores

CVSS v3 8.8

EPSS 0.3348

EPSS Percentile 98.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-434

Status published

Products (1)

tp-link/tl-wr902ac_firmware < 3.0.9.1

Published Dec 30, 2022

Tracked Since Feb 18, 2026