CVE-2026-3227

MEDIUM

Authenticated Command Injection on TP-Link TL-WR802N, TL-WR841N and TL-WR840N

Title source: cna
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2026-3227. PoCs published by do4choo.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2026-3227, an authenticated RCE vulnerability in TP-Link routers. The exploit generates a malicious configuration file by decrypting an original backup, injecting a payload into the WAN IP connection settings, and re-encrypting it for upload to the router.

Description

A command injection vulnerability was identified in TP-Link TL-WR802N v4, TL-WR841N v14, and TL-WR840N v6 due to improper neutralization of special elements used in an OS command. In the router configuration import function allows an authenticated attacker to upload a crafted configuration file that results in execution of OS commands with root privileges during port-trigger processing. Successful exploitation allows an authenticated attacker to execute system commands with root privileges, leading to full device compromise.

Exploits (2)

nomisec WORKING POC 41 stars
by do4choo · poc
https://github.com/do4choo/CVE-2026-3227-TP-Link-authenticated-RCE

This repository contains a functional exploit for CVE-2026-3227, an authenticated RCE vulnerability in TP-Link routers. The exploit generates a malicious configuration file by decrypting an original backup, injecting a payload into the WAN IP connection settings, and re-encrypting it for upload to the router.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: TP-Link router firmware (specific version not specified)
Auth required
Prerequisites: Authenticated access to the TP-Link router · Original backup configuration file (config.bin) · QEMU environment for re-encryption
mistral-large-3 · analyzed Jul 02, 2026 Full analysis →
github WORKING POC
by do4choo · pythonpoc
https://github.com/do4choo/CVE-2026-3227

This repository contains a functional exploit for CVE-2026-3227, targeting TP-Link routers. It includes tools to decrypt, modify, and re-encrypt router configuration files to inject malicious commands, leveraging a vulnerability in the configuration backup/restore process.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: TP-Link router firmware (specific version not specified)
Auth required
Prerequisites: Access to a valid router configuration backup file · Ability to upload the modified configuration to the router · Triggering a Port Triggering event
mistral-large-3 · analyzed Jun 25, 2026 Full analysis →

Scores

CVSS v3 6.8
EPSS 0.0110
EPSS Percentile 61.9%
Attack Vector ADJACENT_NETWORK
CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

CWE
CWE-78
Status published
Products (6)
TP Link Systems Inc./TL-WR840N v6 < V6_260304
tp-link/tl-wr802n_firmware < 260304
tp-link/tl-wr840n_firmware < 260304
tp-link/tl-wr841n_firmware < 260303
TP-Link Systems Inc./TL-WR802N v4 < V4_260304
TP-Link Systems Inc./TL-WR841N v14 < V14_260303
Published Mar 16, 2026
Tracked Since Mar 16, 2026