TP-Link TL-WR841N V13 (JP) vulnerable to OS command injection


​TP-Link TL-WR841N is a wifi router for home networks.
The firmware version 161028 for hardware version V13 (JP) is reported vulnerable to OS command injection (CWE-78).

According to the vendor, the firmware for hardware version V14 (JP) is not affected.

Koh You Liang of 3-shake Inc. reported this vulnerability to the developer and JPCERT/CC.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 7.2 (High) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
CVSS V2 Severity:
Base Metrics 8.5 (High) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: Single Instance
  • Confidentiality Impact: Complete
  • Integrity Impact: Complete
  • Availability Impact: Complete
Affected Products

TP-LINK Technologies
  • TL-WR841N V13 (JP) with firmware versions prior to 201216


Any user who can login to the web interface of the product may execute any OS commands.

[Update the Firmware]
Update to the latest version of the firmware according to the information provided by the developer.

The developer has released the firmware version 201216 to fix this vulnerability.
Vendor Information

TP-LINK Technologies
CWE (What is CWE?)

  1. OS Command Injection(CWE-78) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2020-35576

  1. JVN : JVNVU#92444096
  2. Related document : TP-Link TL-WR841N Command Injection Exploit (CVE-2020-35576)
Revision History

  • [2021/01/25]
      Web page was published