Thousands of widely used TP-Link routers—still being sold online with glowing reviews—have been found vulnerable to a critical command injection flaw that’s now under active exploitation by threat actors. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, signaling a direct and growing threat to both consumer and enterprise networks.
Outdated TP-Link Models Under Threat
The vulnerability affects multiple TP-Link router models, all of which have reached their end-of-life and will no longer receive firmware updates. That leaves users completely exposed to attacks that exploit the device’s web interface.
The models include:
- TL-WR940N (Versions V2/V4)
End-of-life with last firmware released in 2016. Still available online, with over 9,000 reviews on Amazon. - TL-WR841N (Versions V8/V10)
First launched in 2005, with some versions supported until 2015. This model has over 77,000 reviews and is still ranked among Amazon’s top routers. - TL-WR740N (Versions V1/V2)
These hardware versions have not received updates for over 15 years. All variants of this model are end-of-life.
These devices remain common in households and small offices due to their low price and high availability. However, CISA has issued a strong advisory:
“Users should discontinue product utilization.”
What Makes the Flaw Dangerous?
The core issue lies in the web management interface of the affected routers. According to researchers, the vulnerability stems from improper validation of parameters in HTTP GET requests. This opens the door for command injection—allowing attackers to run unauthorized commands on the device.
Rated 8.8 on the CVSS scale, the vulnerability can be exploited in two key ways:
- Remotely, if the router is exposed to the internet through port forwarding or remote management.
- Locally, by any user connected to the same network.
With public proof-of-concept code widely circulating, attackers no longer need advanced skills to execute these attacks. It’s become a low-barrier, high-reward exploit in the wild.
Federal Deadline and Industry Impact
CISA has given federal agencies a strict deadline: Remove all affected TP-Link routers from networks by July 7, 2025. The agency also urges private-sector organizations and consumers to take similar action.
“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risk to the federal enterprise,”
— CISA advisory
Given how long some of these routers have been out of support, the real concern lies in how many of them are still deployed—often without the knowledge of IT departments, especially in smaller environments.
A Broader Issue in Router Lifecycle Management
This incident underscores a broader challenge in managing IoT and edge network devices—particularly consumer-grade routers. Even as hardware gets older, it often remains in use well beyond its supported life. Without firmware updates, these devices become open doors for attackers.
Organizations should not only conduct audits for outdated devices but also enforce stronger controls on remote management features and network segmentation.
If you’re still using one of these TP-Link models—or if you’re unsure what your infrastructure relies on—it’s time for a closer look.
