CVE-2024-54887

HIGH

TP-Link TL-WR940N V3/V4 < 3.16.9 - Authenticated Remote Code Execution via dnsserver1/dnsserver2 Buffer Overflow

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-54887. PoCs published by Gumbraise.

AI-analyzed exploit summary This repository contains a functional TypeScript PoC for CVE-2024-54887, an authenticated RCE vulnerability in TP-Link TL-WR940N routers. The exploit leverages a buffer overflow in the Wan6to4TunnelCfgRpm.htm endpoint to execute shellcode, resulting in a bind shell on port 4444.

Description

TP-Link TL-WR940N V3 and V4 with firmware 3.16.9 and earlier contain a buffer overflow via the dnsserver1 and dnsserver2 parameters at /userRpm/Wan6to4TunnelCfgRpm.htm. This vulnerability allows an authenticated attacker to execute arbitrary code on the remote device in the context of the root user.

Exploits (1)

github WORKING POC
by Gumbraise · typescriptpoc
https://github.com/Gumbraise/CVE-2024-54887-PoC

This repository contains a functional TypeScript PoC for CVE-2024-54887, an authenticated RCE vulnerability in TP-Link TL-WR940N routers. The exploit leverages a buffer overflow in the Wan6to4TunnelCfgRpm.htm endpoint to execute shellcode, resulting in a bind shell on port 4444.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: TP-Link TL-WR940N v3/v4
Auth required
Prerequisites: Target IP address · Valid credentials (default: admin/admin)
devstral-2 · analyzed Jun 06, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 8.0
EPSS 0.0613
EPSS Percentile 92.5%
Attack Vector ADJACENT_NETWORK
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-120
Status published
Products (1)
tp-link/tl-wr940n_firmware < 3.16.9
Published Jan 09, 2025
Tracked Since Feb 18, 2026