CVE-2026-3227
MEDIUMAuthenticated Command Injection on TP-Link TL-WR802N, TL-WR841N and TL-WR840N
Title source: cnaExploitation Summary
EIP tracks 2 public exploits for CVE-2026-3227. PoCs published by do4choo.
AI-analyzed exploit summary This repository contains a functional exploit for CVE-2026-3227, an authenticated RCE vulnerability in TP-Link routers. The exploit generates a malicious configuration file by decrypting an original backup, injecting a payload into the WAN IP connection settings, and re-encrypting it for upload to the router.
Description
A command injection vulnerability was identified in TP-Link TL-WR802N v4, TL-WR841N v14, and TL-WR840N v6 due to improper neutralization of special elements used in an OS command. In the router configuration import function allows an authenticated attacker to upload a crafted configuration file that results in execution of OS commands with root privileges during port-trigger processing. Successful exploitation allows an authenticated attacker to execute system commands with root privileges, leading to full device compromise.
Exploits (2)
This repository contains a functional exploit for CVE-2026-3227, an authenticated RCE vulnerability in TP-Link routers. The exploit generates a malicious configuration file by decrypting an original backup, injecting a payload into the WAN IP connection settings, and re-encrypting it for upload to the router.
This repository contains a functional exploit for CVE-2026-3227, targeting TP-Link routers. It includes tools to decrypt, modify, and re-encrypt router configuration files to inject malicious commands, leveraging a vulnerability in the configuration backup/restore process.
References (6)
Scores
CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H