CVE-2023-36489
HIGHTP-Link TL-WR802N, TL-WR841N, and TL-WR902AC - OS Command Injection
Title source: manualDescription
Multiple TP-LINK products allow a network-adjacent unauthenticated attacker to execute arbitrary OS commands. Affected products/versions are as follows: TL-WR802N firmware versions prior to 'TL-WR802N(JP)_V4_221008', TL-WR841N firmware versions prior to 'TL-WR841N(JP)_V14_230506', and TL-WR902AC firmware versions prior to 'TL-WR902AC(JP)_V3_230506'.
References (4)
Core 4
Core References
Third Party Advisory
https://jvn.jp/en/vu/JVNVU99392903/
Scores
CVSS v3
8.8
EPSS
0.0014
EPSS Percentile
33.7%
Attack Vector
ADJACENT_NETWORK
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-78
Status
published
Products (3)
tp-link/tl-wr802n_firmware
< 221008
tp-link/tl-wr841n_firmware
< 230506
tp-link/tl-wr902ac_firmware
< 230506
Published
Sep 06, 2023
Tracked Since
Feb 18, 2026